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Abstract 

We show a model construction for a system of higher-order illative combinatory logic I^j, thus 
. . establishing its strong consistency. We also use a variant of this construction to provide a complete 

(n: embedding of first-order intuitionistic predicate logic with second-order prepositional quantifiers into 

' _ ^ ■ the system To of Barendregt, Bunder and Dekkers, which gives a partial answer to a question posed 

' by these authors. 

(N; 

D ■ 1 Introduction 

■ Illative systems of combinatory logic or lambda-calculus consist of type-free combinatory logic or lambda- 
calculus extended with additional constants intended to represent logical notions. In fact, the whole point 
of introducing lambda calculus and combinatory logic in the early 1930s was initially to create such a 
system. However, this approach quickly led to paradoxes, and prefence was given to systems restricted 
by some typing regime. Thus, illative systems fell into obscurity. 

It has proven surprisingly difficult to formulate and show consistent illative systems strong enough 

■ to interpret traditional logic. This was accomplished only in |BBD93j . [DBBQSa] and |DBB98b] . where 
, several systems were shown complete for the universal-implicational fragment of first-order intuitionistic 

predicate logic. 

The difficulty in proving consistency of illative systems in essence stems from the fact that, lacking 
a type regime, arbitrary recursive definitions involving logical operators may be formulated, including 
^ , negative ones. In early systems containing an unrestricted implication introduction rule this was the 

■ reason for the Curry's paradox |BBD93[ ICFC58i §8A], where an arbitrary term X is derived using a 
. term Y satisfying Y =13 Y D X . For an overview of and introduction to illative combinatory logic see 

\0-^ IBBD93] . [SdTfg] or [CFC58j . 

. Systems of illative combinatory logic are very close to Pure Type Systems. The rules of illative 

fS| ■ systems, however, have fewer restrictions, judgements have the form T \- t where t is an arbitrary term 

. instead of F h iV : C, and types are represented by terms. This connection has been explored in |BD05| 

■ where some illative-like systems were proven equivalent to more liberal variants of PTSes from [BDOl] , 
Those illative systems, however, differ somewhat from what is in the literature. 

In |Czallj an algebraic treatment of a combination of classical first-order logic with type-free com- 
binatory logic was given. On the face of it, the system of |Czall| seems to be not quite like traditional 

■ illative combinatory logic, but the methods used in the present paper are a (substantial) extension of 
, those from [Czallj . 

In this work we construct a model for a system of classical higher-order illative combinatory logic 2^ , 
thus establishing a strong consistency result. We also use a variant of this construction to improve 
slightly on the results of [BBD93| . We show a complete embedding of the system PRED2o of first-order 
intuitionistic many-sorted predicate logic with second-order propositional quantifiers into the system Iq 
which is an extension of IE from |BBD93) . 

To be more precise, we define a translation [— ] from the language of PRED2o to the language of Iq, 
and a mapping F from sets of formulas of PRED2o to sets of terms of Iq. The embedding is proven to 
satisfy the following for any formula ip of PRED2o and any set of formulas A of PRED2o: 

A hpRED2o ^ iff rA1,F(A,^) hx„ H 

where A, (f stands for A U {1^}. The implication from left to right is termed soundness of the embedding, 
from right to left - completeness. 
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Our methods are quite different from those of |BBD93| . where an entirely syntactic approach is 
adopted. We define Kripke semantics for illative systems and prove it sound and completq^. Given a 
Kripke model Af for PRED2o we show how to construct an illative Kripke model A4 for Iq such that 
exactly the translations of statements true in a state of J\f are true in the corresponding state of A4. 
This immediately implies completeness of the embedding. 

The model constructions for Iq and are similar, but the latter is much more intricate. The basic 
idea is to define for each ordinal a a relation between terms and so called "canonical terms" . To 
every canonical term we associate a unique type. In a sense, the set of all canonical terms of a given 
type fully describes this type. Intuitively, t P holds if /o is a "canonical" representant of t in the 
type of p. This relation encompasses a definition of truth when p G {T, L}. Essentially, is defined 
by transfinite induction in a monotonous way, so there must exist some ordinal C such that ^a=^c '^'^'^ 
a > C,. We use the relation to define our model. Then it remains to prove that what we obtain really 
is the kind of model we expect, which is the hard part. 



2 Preliminaries 

In this section we define the system PRED2o of first-order many-sorted intuitionistic predicate logic with 
second-order propositional quantifiers, together with its (simplified) Kripke semantics. We also briefly 
recapitulate the definition of full models for a system of classical higher-order logic PREDo;'^. 

Definition 2.1. The system PREDw of higher-order intutionistic logic is defined as follows. 

• The types are given by 

r ::= o\B\r^T 
where S is a specific finite set of base types. The type o is the type of propositions. 

• The set of terms of PREDw of type r, denoted T^, is defined by the following grammar, where for 
each type r the set Vr is a countable set of variables and Y,t is a countable set of constants. 

::= Vr\T.r\ T^^r ■ T„ for aU a,T eT 
To ::= I Eo I To D To I VK-To for r G T 

Terms of type o are called formulas. 

• We identify a-equivalent formulas, i.e. formulas differing only in the names of bound variables are 
considered identical. 

• The system PREDw is given by the following rules and an axiom, where A is a finite set of formulas, 
(fi, are formulas. The notation A, is a shorthand for A U {1^9}. 

Axiom 



Rules 



A, i^hV' AI-(^dV^AI-.^ 
A h 93 D V A h V' 

A h 

V. : ■ ,J X i FV{A) 
A h vx.ip 

A h (p[x/t\ 



^In fact, for completeness of the embedding the easier soundness of the semantics would suffice, i.e. the completeness 
of the semantics is not necessary for the main results of this paper. 
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The classical variant PREDw'^ is defined by adding to PREDw the law of double negation as an axiom 

A h (((^ D -L) D -L) D V> 

where _L = Vxo-Xo and Xo &Vo. 

The system PRED2o is the fragment of second-order many-sorted predicate calculus restricted to for- 
mulas in which second-order quantifiers are only propositional. It is obtained from FREDo; by restricting 
the types to 

T ::= o\B\B^T 

and changing the definition of terms to 

::= Vrl'Srl Ta^-r • T,, for allr gT, a eB 
To ::= Vo\-So\i:^^o-T^\ToDTo\yVr.ToiovTGBU{o},a€T 

For an arbitrary set A we write A I-5 if is derivable from a subset of A in system S. We drop 
the subscript when obvious or irrelevant. Note that we trivially have weakening with this definition, i.e. 
a A\- (f then A' h 1^ for any A' D A. 

In the rest of this paper we assume a fixed set of base types and fixed sets of constants for each 
type T E T- We assume T, T^, etc. to refer either to FREDcj or FRED2o, depending on the context. 

The systems contain only D and V as logical operators. However, it is well-known that all other 
connectives may be defined from these with the help of the second-order propositional universal quantifier. 

We denote by t[x/t'] a term obtained from t by simulatneously substituting all free occurences of x 
with t' . We use a similar notation for variable valuations. 

Definition 2.2. A full model for FREDw^ is a pair 

M = {{Vr\TGT},I) 

where each Dt is a nonempty set for t E B, T>o = {T, _L}, each Vt^^t^ is the set of all functions from 
to 1^X2, and / is a function mapping constants of type r to Vt- The valuation function |] and 
the satisfaction relation |= are defined in the standard way. It is well-known and easy to show that 
A l-pREDw" V implies A ^ t^. 

The rest of this section is devoted to introducing a simplified variant of Kripke semantics for PRED2o 
and proving it sound and complete. The development is mostly but not completely standard. 

Definition 2.3. A Kripke pre-model of FRED2o is a tuple 

M = {S,<,{Vr\TeT},;I,(T) 

where 5 is a set of states, < is a partial order on 5, the set Vj^ is the domain for type t, the function • is 
a binary application operation, / is an interpretation of constants, and ct is a function assigning upward- 
closed (w.r.t. <) subsets of <S to elements of "Dq. We sometimes write crx, Sm, etc., to stress that they 
are components of A4. Furthermore, the following conditions are imposed on a Kripke pre-model: 

• Vt is nonempty for any r, 

• for any di G IJ^i^t-^ and ^2 € we have ^1-^26 'Dr2, 

• /(c) e Vr for any c G S^- 

A valuation is a function mapping variables of type r to elements of Dr- When we want to stress 

that a valuation is associated with a structure At, we call it an A^-valuation. For a given structure A4 
and an A^-valuation u, an interpretation || is a function mapping terms of type t to T>r, and satisfying 
the following: 

• [x]" = u{x) for a variable x, 

• |c|"=/(c) forces^. 
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We use the notation |]^ for a fixed, arbitrary valuation. 

For a formula a state s and a valuation u we write s,w Ih^vi if s G o'd'/'ljtf)- Given a set of 
formulas A, we use the notation s, u \\-m A if s, w Ih^vi f for all G A. We drop the subscript M when 
obvious or irrelevant. 

A Kripke model is a Kripke pre-model Ai satisfying the following for any state s and any valuation u: 

• s,u \\- if Z) ip iS for all s' > s such that s' , u \\~ ip we have s', u Ih ■;/;, 

• s, w Ih \fxT.(p for X,- G V^r iff for all s' > s and all d G 2?^ we have s', u[xr/rf] ll~ 

• s,uVt^ \fp.p for p G Vo- 

We write A Ih (ys if for every Kripke model A4, every state s of A^, and every valuation u, the condition 
s,u IhjVi A implies s,m I^m f- 

Remark 2.4. What we call Kripke semantics is in fact a somewhat simplified version of the usual notion. 
It is not much more than a reformulation of the inference rules. There are no conditions for connectives 
other than V and D, so for instance with our definition s, u Ih 93 V "0 need not imply s, it Ih or s, u Ih ip, 
where 93 V V' is defined in the standard way as Va;o.(v? 3 Xq) D (ip Z) Xq) D Xq- We also assume constant 
domainsll The resulting notion of a model is quite syntactic, which allows us to simplify the usual 
completeness proof considerably. 

Another peculiarity is the presence of a. It may seem superfluous, but it is necessary in the Kripke 
semantics for illative systems in Section [3] where we do not know a priori which terms represent propo- 
sitions. For the sake of uniformity we already introduce it here. 

Lemma 2.5. If M is a Kripke model, x G Vr, to G Tr, t G T^.', t' ^ a and u' — u[x/\to\'^], then: 

it[x/to]rM - itiM 

Proof. Straightforward induction on the size of t. □ 

Lemma 2.6. If AA is a Kripke model, x G Vr, t G T,-, G To and u' — w[a:;/|i|"], then for all states s: 

s,u\hip[x/t] iff s,u' \\- ip 

Proof. We proceed by induction on the size of (p. If (/s is a constant, a variable, or (p — tit2, then the 
claim follows from Lemma [2.51 

Assume Lp = Lpi Z> 932- Suppose s,u Ih (pi[a;/t] D ip2[x/t] and let s' > s be such that s' ,u' Ih Lpi. By 
the IH we have s' ,u Ih Lpi[x/t], hence s' ,u Ih ip2[x/t\. Applying the IH again we obtain s' ,u' Ih Lp2. This 
implies that s,u' Ih ip. The other direction is analogous. 

Assume Lp = ^/y.Lpo. Without loss of generality y ^ x and y ^ FV{t). Suppose s, u Ih \/y.LpQ[x/t], and 
let s' > s and d G Vr. We have s',u[y/d\ Ih ip}Q[x/t\. By the IH we obtain s',u'[y/d\ Ih </7o- This implies 
s,u' Ih \/y.LpQ. The other direction is analogous. □ 

Theorem 2.7. The conditions A Ih (/3 and A h are equivalent. 

Proof. By induction on the length of derivation we first show that A h (^a implies A Ih (p. Note that it 
suffices to show this for finite A. The implication is obvious for the axiom. Assume A h 1^9 was obtained 
by rule V^. Then Lp = Vx.'0 for x G Vr, x ^ FV"(A). Let M,s,u be such that s,u hM A. Hence for 
all s' > s we have s',u \\-m A, and s',u[x/d\ Ihx A for any d & Vr because x ^ FV[/^). So by the 
inductive hypothesis we obtain s',u[x/d] \\-m V' for any d G Vr. By the definition of a Kripke model, 
this implies s,u Ih^ yx.tp. The remaining cases are equally straightforward. Lemma 12.61 is needed for 
the rule Vg. 

To prove the other direction, we assume that Aq F cpQ and construct a Kripke model M and a 
valuation u such that for some state s of we have s, u Aq, but s, u ¥m Vo- 

First, without loss of generality, we assume that there are infinitely may variables not occuring in 
the formulas of Ag. We can do this because extending the language with infinitely many new variables 

^ A reader concerned by this is invited to invent an infinite Kripke model (as defined in Definition 12.31 1 falsifying the 
Grzegorczyk's scheme \/x{tp V <p{x)) D 1/1 \/\/xip{x). This scheme is not intuitionistically valid, but holds in all models with 
constant domains, in the usual semantics. 
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is conservative. The states of ^A are consistent sets of formulas A' D Aq which differ from Aq by only 
finitely many formulas. The ordering is by inclusion. For any type t as 2?,- we take the set of terms 
of type r. Let t; be a variable valuation. Given a term t, we denote by a term obtained from t 
by simultaneously substituting any variable x G FV{t) by the term v(x). We obviously assume that 
no variables are captured in these substitutions, which is possible because we treat formulas up to a- 
equivalence. We define the interpretation / by /(c) = c. We also set t\ ■ t2 = t\t2- Notice that now 
\t\" = f" . Further, we define the function ci of as follows: cr{(p) = {A | A h (^} for a formula 
where A ranges over sets of formulas which are valid states. Note that A,i> \\-m '■P is now equivalent to 
A h t^". Finally, we set u{x) = x. 

Given a formula (p, a state A, and a valuation f , wc show by induction on the size of (p that A, v Ih^vi (p 
satisfies the conditions required for a Kripke model. If </> = lyj D then we need to check that 
A h D iff for all A' D A such that A' is a valid state and A' h we have A' h ■0". Sup- 
pose the right side holds and take A' = A U If A' is a valid state then A' ^ ip"" , hence by rule Z)i 
we obtain A I- t^" D tp"". Because A extends Aq by finitely many formulas, so does A'. Hence if A' is 
not a valid state, then it is inconsistent. Then obviously A' h tp'" anyway, so we again obtain the left 
side by applying rule Di- The other direction follows by applying De and weakening finitely many times. 

Similarly, if tp = Vx.(p, then without loss of generality we assume v{x) = x, x € Vr, and check that 
A h Mx.ip'" iff for all valid states A' D A and all t\ e Dt we have A' h t^" where v' = v[x/ti\. If the 
right side of the equivalence holds, then it holds in particular for ti = y such that y ^ Fy(A, and 
A' = A. Such y exists, because we have assumed an infinite number of variables not occuring in the 
formulas of Aq, and A extends Aq by only finitely many formulas. By rule Vj we obtain A h Vj^t^", 
which is a-equivalent to the left side, and wc treat a-equivalent formulas as identical. Conversely, if 
A h Va^.tp", then by rule Ve and weakening we obtain A' h i^'"[x/t\]. This is equivalent to A' h tp" where 
v' = v[x/ti]. 

It is now a matter of routine to check that is a Kripke model. Obviously, in this model we have 
Aq, u ¥ (fo, i-e. Aq ^ Ifoj" = (^{fo), because Aq (fo- On the other hand, Aq, u\\- ip for every ip G Aq. 
This proves the theorem. □ 



3 Illative systems 

In this section we define the higher-order illative systems X^, '^Z second-order illative system Iq- 

We also define a semantics for these systems. 

Definition 3.1. By T(I]) we denote the set of type-free lambda-terms over some specific set S of 
primitive constants, which is assumed to contain S and L. 

We use the following abbreviations. The term D is usually written in infix notation and is assumed 
to be right-associative. 

/ = Xx.x 
S = Xxyz.xz{yz) 
K = Xxy.x 
H = \x.L{Kx) 
D = Xxy.E{Kx){Ky) 
F = Xxy f .'E.x [Xz .y [J z)) 

The constant S functions as a restricted quantification operator, i.e. 'E.AB is intuitively interpreted as 
Mx.Ax D Bx. The intended interpretation of LA is "A is a type" , or "A may be a range of quantification" . 
The constant H stands for the type of propositions, and FAB denotes the type of functions from Ato B. 

For systems of illative combinatory logic, judgements have the form T \- t where F is a finite subset 
of T(5]) and t € T(S). The notation T,t is an abbreviation for F U {t\. 

The system is defined by the following axioms and rules. 

Axioms 

(1) T,t'rt 
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(2) Th LH 
Rules 



r h ti ti —i3„ t2 T h t 

bjQ : Hi : 

r h <2 Ht 



■ r h t2h 

r, ti X h- r h Lti 

: ' X i FV{TMM) 

T,tix\- H{t2x) ThLti 
Sff : - 



r h H(Eht2) 



x^FV{r,h,t2) 



T,tixhLt2 ThLti ^ 



The system Iq is I^j minus the rule F^. The rule Fl allows us to quantify over funetions and 
predicates. Obviously, to make any use of this we need additional constants Ar representing base types, 
constants c representing some elements of type r, axioms LAr and A^c, and some axioms of the form 
e.g. p{fci){gc2) where /, g are constants representing functions and p is a predicate constant (i.e. of 
type Ti — )■ T2 o). That most such simple extensions are consistent with is a consequence of the 
model construction in Section 3] 

For an arbitrary set F, we write F hj t if there is a finite subset F' C F and a derivation of F' h i in 
an illative system X. The subscript is dropped when obvious from the context. 

Lemma 3.2. The following rules are admissible in X^ and Xq. 

ThtiDt2 F h ti F, ii h i2 r h Hti 

" ' Tht2 ThtiDt2 

T,tihHt2 FhiJii Fht 



Ph ■■ — ^ ^ Weak : 



Proof. Routine. □ 

Definition 3.3. A combinatory algebra C is a tuple (C, •, S, K), where • is a binary operation in C and 
S,K ^ C, such that for any X,Y, Z G C we have: 

• S ■ X - Y ■ Z = {X ■ Z) ■ {Y ■ Z), 

• K -X -Y = X. 

To save on notation we often write X E C instead of X G C. We assume • associates to the left, and 
sometimes omit it. 

A combinatory algebra is extensional if for any Mi,M2 G C, whenever for all A" G C we have 
MiX = Af2A, then we also have Mi = M2. 

It is well-known that any combinatory algebra contains a fixed-point combinator and satisfies the 
principle of combinatory abstraction, so any equation of the form z ■ x = ^{z,x), where ^{z,x) is an 
expression involving the variables z, x and some elements of C, has a solution for z satifying this equation 
for arbitrary x. 

Definition 3.4. An illative Kripke pre-model is a tuple (5, <,C, I,a), where 5 is a set of states, < is 
a partial order on the states, C is an extensional combinatory algebra, / : E — > C is an interpretation 
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of primitive constants, and ct is a function assigning upward-closed (w.r.t. <) subsets of S to elements 
of C. We sometimes write aM, Sm, etc., to stress that they are components of Ai. 

Given an illative Kripke pre-model A4, the value ftj^ of term t under variable valuation u, which is 
a function from variables to C, is defined inductively: 

• |x]" = u{x) for a variable x, 

• = I{c) for a constant c, 

• |Aa;.i|" is the element d e C satisfying d ■ d! ~ for any d' G C, where u' = u[x/d']. 

Note that the element in the last point is uniquely defined because of extensionality and combinatorial 
completeness of C. 

To save on notation, we often confuse S, L, etc. with |S|^, etc. The intended meaning is 

always clear from the context. The subscript Ai is also often dropped. 

An illative Kripke model for is an illative Kripke pre-model where a satisfies the following condi- 
tions for any X,Y G C: 

(1) if s e a{LX) and for all s' > s and all Z e C such that s' G a{XZ) we have s' G a(YZ), then 
s G (r{EXY), 

(2) if s G (7(EXY) then for all Z G C such that s G a{XZ) we have s G cr{YZ), 

(3) if s G a{LX) and for aU s' > s and all Z G C such that s' G (7{XZ) we have s' G cr(i?(rZ)), then 
s G cr(i/(SXr)), 

(4) if s G o'(iX) and for all s' > s such that s' G a{XZ) for some Z G C, we have s' G o'(iy), then 
s G cr(L(FXy)), 

(5) if s G (t(X) then s G a{HX), 

(6) s G (7{LH). 

An illative Kripke model for Iq is defined analogously, but omitting condition ([?]). A model is a classical 
illative model if it satisfies the law of double negation: if s G o-{{X D ±) D ±) then s G o'{X), where 
_L = EHI. It is not difficult to see that every one-state illative Kripke model is a classical illative 
model. For a classical illative model with a single state s we define the set £^ of true elements by 
^^{XeC\sea{X)}. 

For a term t and a valuation u, we write s,u \\-m t whenever s G cr(|i|5vi)- For a set of terms F, we 
write F Ihx t if for all Kripke models A4 of an illative system I, all states s of A^, and all valuations u 
such that s, u lh_A4 t' for all t' G F, we have s, u \\-m t- Note that s, u t implies s', u Ih^vi ^ for s' > s, 
because cr(A') is always an upward-closed subset of 5, for any argument X . 

Fact 3.5. In any illative Kripke model the following conditions are satisfied: 

(1) if s Cz a{HX) and for all s' > s such that s' G (j{X) we have s' G (j{Y), then s G (7{X D Y), 

(2) if s e (t{X D Y) then s G o-(X) implies s G cr{Y), 

(3) if s e (j{HX) and for all s' > s such that s' G c^{X) we have s' G a{HY), then s G a{H{X D 1")). 

Theorem 3.6. The conditions F Ihi t and F hx i are equivalent, where I ~ I^j or X = Iq. 

Proof. We first check that F hi t implies F Ihx t, by a simple induction on the length of derivation. It 
suffices to prove this for finite F. The implication is immediate for the axioms. Now assume F h t2t 
was obtained by rule Se, and we have s,u \\~m T- Hence, by the inductive hypothesis s,u Ih^vi Stit2 
and s,u \\-m tit, which by condition ([2]) in Definition 13.41 implies s,u \\-m ^2^- Assume F h Stit2 was 
obtained by rule S^, and that s,u \\-m T- Let s' > s and Z G C be such that s' G cr(|ti]^ • Z). We 
therefore have s', u' Ih^vi F, tix, where u' = u[x/Z] and x ^ FV{T, ti, t2). So by the inductive hypothesis 
we obtain s',u' Ih^ t2X. Because x ^ FV{t2), this is equivalent to s' G o'(|t2lX/( ' '^^'^ inductive 
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hypothesis imphes also that s G (t{L ■ [ii]^). We therefore obtain by condition ([T]) in Definition 13 .41 that 
s, u \\-M ^^1^2- The other cases are equally straightforward and we leave thcni to the reader. In the case 
of rule Eq the extensionality of C is needed. 

To prove the other direction, we assume Fq t^, and construct an illative Kripke model M. and a 
valuation u such that for some state s of we have s, u Tq, but s, u'i^M to- 

We construct the model as follows. First of all, we assume without loss of generality that there are 
infinitely many variables not occuring in Fq. As states we take all sets of terms F' 3 Fq which extend Fq 
by only finitely may formulas. The ordering is by inclusion. The combinatory algebra C is the set of 
equivalence classes of /3?7-equality on T(E). We denote the equivalence class of a term t by [i]/?,;. We 
define /(c) = [c]^^ for c e S. The function cr is defined by the condition: F e o'([i]^r() iff F hj t and F 
is a valid state. This is well-defined because of /^Ty-equality in rule Eq. The valuation u is defined by 
u{x) = [x]i3n. Note that ft}']^ = [t]^^. 

We now show that this is an illative Kripke model. We only need to check the conditions on a. It 
is obvious that (7{X) is upward-closed for any X G C because of weakening. Assume that F h Lti, and 
for all F' 3 F and all terms such that F' h tit^ we have F' h ^2^3- Then, in particular, this holds for 
F' = F U {tix} and ^3 = x, where cc is a variable, x ^ FV(r,ti,t2)- Such a variable x exists because F 
differs from Fq by only finitely many formulas, and there are infinitely many variables not occuring in 
the formulas of Fq. Therefore, by rule we have F h E,tit2, hence F G a{[Stit2]pjj)- This verifies 
condition ([T]). Conditions (O, ([2]), © and ^ are verified in a similar manner, using rules Se, ^h, Fl 
and -ffi, respectively. Condition ([6]) is immediate from the axiom F h LH. 

It is obvious that Fq, u I^m to, i-e. Fq ^ cr([io]/3r;), because Fq Kx Iq. Clearly, we also have Fg, u I^m t 
for all t E Fq. This proves the theorem. □ 

Remark 3.7. Note one subtlety here. The above theorem does not imply that Iq or is consistent. 
This is because we allow trivial Kripke models, i.e. ones such that o'{X) = S for any X G C, and it is 
not obvious that nontrivial ones exist. Indeed, if we dropped the restriction s e a{LX) in condition ([1]) 
in Definition 13.41 then all illative Kripke models would be trivial. To see this, let X G C and s e 5 be 
arbitrary and consider the element T € C defined by the equation T = T D X. Note that dropping 
s € a{LX) in condition ([T|) in Definition 13.41 means dropping s € (t{HX) in condition ([1]) in Fact 13.51 
For any s' > s we obviously have s' G (t{T D X) whenever s' G o'(T). By condition ^ in Fact 13.51 we 
conclude that s' G tT(X) whenever s' G o'(T). Therefore, by condition ([1]) in Fact 13.51 we have s G cr(T). 
Hence, s G cr(T D X) as well, so again s G 'j{X). Thus a{X) = S. This argument is essentially the 
Curry's paradox. 

We also conjecture that is complete w.r.t one-state classical illative models, but the proof would 
be more difficult than the completeness proof given above. For convenience of reference we state the 
following simple fact about one-state classical illative models for I^, as we will be constructing such a 
model in the next section. 

Fact 3.8. For a one-state classical illative model for the conditions on a may be reformulated as 
follows: 

(1) if LX e and for all Z E C such that XZ E ^ we have YZ E ST, then EXY E 3', 

(2) if EXY E -Sr then for all Z E C such that XZ E ST we have YZ E 3, 

(3) ifLXE.^ and for all Z E C such that XZ E J we have H{YZ) E ST, then H{EXY) E J, 

(4) if LX E 9' , and either LY E 3 or there is no Z E C such that XZ E 3, then L{FXY) E 3, 

(5) ifXE.^ then HX E ST, 

(6) LH E sr. 

4 The model construction 

In this section we construct a model for I^. The construction is parameterized by a full model for 
classical higher-order logic. 
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4.1 Definitions 



In this subsection we give definitions necessary for the construction and fix some notational conventions. 
Definition 4.1.1. We define the set of types by the following grammar: 

r+ ::= Ti I w I e 
71 ::= T\Ti^Ti\uj^Ti 
T ::= o\B\T^T 

where S is a specific finite set of base types. The type o is the type of propositions, uj is the type of 
arbitrary objects, e is the empty type. 

For the sake of simplicity we use the following notational convention: r — >■ £ = e for t ^ e, e — > r = w, 
and T — >■ a; = w, i.e. we use r — >■ £, etc., which are not valid types, to stand for e, etc. We also use the 
abbreviation r" —>■ r2 for n ri —>■ T2 where ti occurs n times (possibly n = 0). □ 

From now on wc fix a full model TV of classical higher-order logic and construct a onc-statc classical 
illative model M for If,. We assume that T C defined above corresponds exactly to the types of M. 

Notation 4.1.2. In what follows a term of the form Kt should be read as Xx.t where x ^ FV{t), a 
term Ht as LXx.t where x ^ FV{t), and Ft-it2 as Xf.Eti{\x.t2{fx)) where f,x ^ FV{ti,t2) if t2 is not 
a lambda-abstraction, or as Xf.Eti{Xx.q2[z/{fx)]) if t2 = Xz.q2. We adopt this convention to shorten 
notations. □ 

Definition 4.1.3. We define a set of primitive constants S+, and a set of canonical terms as follows. 
First, for every type t ^ u we define by induction on the size of r a set of canonical terms of type r, 
denoted by T,-. We also define a set of constants T^r for every type r ^ {w,e} U {w — ^ r' | r' € T"*"}. 
If r e T (i.e. it does not contain w or e) then we define S,- to contain a unique constant for every 
element d G Vr- We set T,- = S,-. If r ^ T, r = ti — >■ r2 and ri ^ ui, then denote by E,- a set of new 
constants for every (set-theoretical) function from T^^ to T^-^. Again we set T,- = St-. If t = w — > T2 
then Tr consists of all terms of the form Xx.p where p € T^-^ . We set = 0. By T,'^ we denote an infinite 
set of distinct new constants, called external constants. The symbol stands for a set consisting of 
distinct new constants Ar for each base type t G B. Finally, wc sot E+ = {S, L} U S'' U T,^ U S,-. 
For the sake of uniformity, we use the notation for the set of all closed type-free lambda terms over 
S+. Note that terms in T^^ are not necessarily canonical and all canonical terms are closed. 

Wc denote the function corresponding to a constant p G 'Eri^T2 by J^{p)- If p G Tj^^t then p = Xx.p' 
and by T{p) we denote the constant function from T^j to T,- whose value is always p'. By T G Eg we 
denote the constant corresponding to the element T e I'o, by ± € Sq the one corresponding to _L G I?o- 
Note that Eq = {T. ±}, because Vo = {T, A.}. 

Note that if ti, T2 ^ lj and ri ^ T2 then T^-^ nT,-^ = 0. Hence every canonical term p may be assigned 
a unique type t u such that p e T,-. When talking about the canonical type, or simply the type, of a 
canonical term we mean the type thus defined. □ 

For each ordinal a we inductively define reduction systems Ra and Ra, a relation ~„ between closed 
terms and types in , and a relation '^a between closed terms and canonical terms. Formally, all these 
notions are defined by one induction in a mutually recursive way, but we split up the definitions for the 
sake of readability. These definitions are monotone with respect to a, so the induction collapses at some 
ordinal, i.e. the relations do not get larger after this ordinal. 

First, let us fix some notations. We write i?<Q for U/3<q-^/3' for 1J^<q '^<a for lj^<a 
We use the notation = for identity of terms up to a-equivalence. By —^<a we denote the reduction 
relation of R^, by — i><Q, the reflexive closure of — by -^<a the transitive reflexive closure of — ><c(, 
and by —<a the transitive reflexive symmetric closure. We write [t]a for the equivalence class of a term 
t w.r.t. the relation =<„■ Analogously, we use the subscript <„ for relations corresponding to ii<a, 
and =a for relations corresponding to _R„. Wc drop the subscripts when they are obvious or irrelevant. 

Informally speaking, we identify types with sets of closed terms. A base type corresponds to the set 
of all constants of this type, the type o to the set of all propositions, the type to to the set of all closed 
terms, the type e to the empty set, and a function type ti — ;> T2 to the set of all closed terms t such 
that for all closed ti of type ti the term tti has type T2. It is known at the beginning of the transfinite 
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inductive definition exactly which terms have base typcjs, but not so for type o or function types. During 
the course of the induction new terms may obtain types. For instance, we may have FATj^AT^t T for 
some a, but FAr^Ar^t T for all 13 < a, where r T basically means that the term r is certainly 
true basing on what we know at stage a. So the fact that t has type ti — > T2 becomes known only at 
stage a of the induction. Our induction stops when no new typings may be obtained and no new terms 
may become true or false, i.e. when we have all information we need to construct the model. 

Note that canonical terms may obtain types different from their canonical types. For instance, a 
term of the form Xx.c where c € will ultimately obtain the type w and all of the types t' ^ t for any 
type r'. As far as canonical terms are concerned, we mostly care about their canonical types, and it is 
known beforehand what types these are. 

Intuitively, t P is intended to hold if p € is a "canonical" object which is "equivalent" to t 
in type r, basing on the information we have at stage a. Let us give some examples to elucidate what 
we mean by this. For instance, suppose we have two distinct (hence disjoint) base types ti and T2, and 
two functions idxi-j-n ^'^'^ idT2->-T2 which are identities on n and T2 respectively. In i?i we will have 
idri^n S'lid idT2^r2 as canonical constants of type t\ — )■ t\ and T2 — )■ T2 respectively. The reduction rules 
associated with lAr^^n will be id^i^TiC c for every canonical constant c of type ti, and analogously 
for idx2-)-T2- Note that idn^riC will not form a redex if c is a canonical constant of type different from n. 
Now we have both Xx.x idxi-j-n and Xx.x >-i idx2->T2) because Xx.x behaves exactly like idxi-j-n 
when given arguments of type ti, and exactly like id^2-!-T2 when given arguments of type T2. In fact, we 
will define the reduction systems so as to make Xx.x and idxi-j-n indistinguishable, for sufficiently 
large a, wherever a term of type t\ — >■ n is "expected". For instance, for any reduction rule of the form 
pi&r^^Ti c, where p is a canonical term of type (n — >^ n) — > r for some r, we will add a reduction 
rule p {Xx.x) — c. 

In the case p G {T, _L}, the relation t P encompasses a definition of truth. The condition t >-« T 

means that t is certainly true, basing on the information from the earlier stages (3 < a of the inductive 
definition. So if t T then t should behave like T wherever a truth-value is expected. If t -L, then 
t is certainly not true. 

li t ^ p then we never have t P for a canonical term p of some base type r, because no term 
different from p behaves like p if the type of p is an atomic type different from o. 

Notation 4.1.4. We use the notation t P when t -»<q t' >-a p. We write for U^<a "^P- 

Informally, t p holds if we can reduce using the rules of Ra, to a term equivalent to a canonical 
term p in the type of p basing on what we know at stage a of the inductive definition. A careful reader 
will notice that what we ultimately really care about is the relation not because we want to 
identify i?Q,-equivalent terms. The relation is needed chiefly to facilitate the proofs. 

The condition t ~q, t is intended to hold if t "represents" the type r basing on what we know at 
stage a, i.e. if Lt T and for all terms r known to be of type r we have tr T, but we should 
not have tr T for any r which is not of type t. So for instance for each type r £ B we should have 
At ~q t for sufHcently large a. Because e is the empty type, we should never have t ~q, e for any term t. 
Since uj is the type of arbitrary objects we should have t if for all terms r we have tr ^<q, T. 

Having explained the intuitive meaning of the relations, we may proceed to formal definitions. The 
definition below depends on the definition of >-<«, and thus on for ^ < a. 

Definition 4.1.5. A reduction system is a set of reduction ndes over a specified set of terms. We assume 
familiarity with lambda-calculus or rewrite systems and we will not bother to repeat precise definitions 
of reductions, etc. In all reduction systems we consider we assume the set of terms to be the type-free 

lambda-terms over S^. 

We define Ra to contain the following reduction rules: 

• for a ~ Q: rules of j3- and r]-reduetion, 

• for a > 0: rules ct — > p2 for every c £ T,ti^t2 (so ti 7^ w), every p2 € and every closed term t 
such that t y<:a Pi and T{c){pi) = p2. 

We set Roc = R<a U -R^. □ 

Definition 4.1.6. The relation ~a is defined by the following rules. Recall that ri — >■ e = e for n ^ e, 

e — >■ r2 = w, and ri — >■ w = w. 
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T eB 

(A) : (H) : 



At ~„ T H ~™ o 



(F) : — ;;r^ ^ (F'^) ^ 



The above definition depends on the definitions of R/s, ~/3 and >-fj tor /3 < a. The next definition 
of >-q; depends on the definitions of and for 13 < a, and on )^<a- 

Definition 4.1.7. We define the relation t P for canonical terms p by the following conditions: 

• p )^c« p for a > 0, 

• t P the canonical type of p is ti — > T2 and t is a closed term such that for any ti G we 
have tti "~*<a ■^{p){ti)- Note that wc allow ti = w but not ti = e. 

In particular, T >-q, T and _L :^c« -L by the above definition. For p e {T,±} we give additional 
postulates. 

We stipulate f )^c« T for a > and all closed terms t such that: 

(1) t = LAt for some r G S, or 

(2) t = LH, or 

(3) t = ArC for T e B and c e T,r, 

(4) t = Hc = L{Kc) for c e {T, ±}. 

When a > we additionally postulate t )^a. T for all closed terms t such that at least one of the 
following holds: 

(S^) t = Etit2 where ti, t2 are closed terms such that there exists r s.t. ti t and for all ts e we 

have t2h '^<a T, 

(Sj) t = H{Etit2) = L{K{Etit2)) where ti, t2 are closed terms such that there exists r s.t. ti ~a r and 
for all G we have H{t2tz) "^<a T, 

(F/) t = L{Ftit2) where ti, t2 are closed terms such that at least one of the following holds: 

• ii ~a T for some t ^ e and "^<a T, 

t = Hti= L{Kti) and ti T. 

Finally, when a > we postulate t >-„ _L for all closed terms t such that: 

(S-*-) t = Stit2, -fft >-<a T, and there exist a type r and a term ts e such that ti ~q; r and 
t2t3 '^<a -L- 

The intuitive interpretation of Sfit2 is restricted quantification "ix.tix D t2X, but ti is required to 
represent a type. In illative combinatory logic the notions of being (representing) a type and being 
eligible to stand as a quantifier range are equivalent. It turns out that the types of are just the types 
defined by . This explains putting ti t in some of the cases above. 

During the course of the transfinite inductive definition some previously untyped terms t will obtain 
types, e.g. a statement of the form FAt^At^I will become true at some stage a. At that point we need 
to decide which term among the canonical terms of type ti — > T2 behaves exactly like t. The whole 
correctness proof rests on the fact that this decision is always possible. That we may choose such a 
canonical term implies that quantifying over only canonical terms of a certain type r is equivalent to 
quantifying over all terms of type r. This justifies restricting quantification to canonical terms in the 
above definition oit >-„ T. 
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Lemma 4.1.8. For a < (3 we have the following inclusions: Ra C _R^, C and C 

Proof. Follows easily from definitions. □ 

It follows from Lemma l4.1.8l bv a simple cardinality argument that there exists an ordinal C such that 
>-i^ = ;^<^ and = R<c- Note that we also have ^c, — ^<c- In what follows we will use the notations 
R, >~, etc. for i?^, ^(^, etc. 

Finally, we are ready to define the model A4 for . 

Definition 4.1.9. The one-state classical illative Kripke model M is defined as follows. We take the 
combinatory algebra C of to be the set of equivalence classes of =ii on closed terms. We define the 
interpretation / of by /(c) = [c]r- We define the set 5^ of true elements of by 5^ = {d | 3i . d = 
[tin At T} where t is required to be closed. 

An n-ary context C is a lambda-term over the set of constants E+U{ni, . . . , ^n}i where □!,...,□„ ^ 
S+. The constants Di, ...,□„ are the boxes of C. If C is an n-ary context then by C[ti, . . . ,i„] we 
denote the term C with all occurences of replaced with ti for i = 1, . . . ,ri. By a context we usually 
mean a unary context, unless otherwise qualified. In this case we write □ instead of Di. 

In what follows a, /?, etc. stand for ordinals; t, ti, t2^ r, ri, r2, etc. stand for closed terms; q, qi, q2, 
etc. stand for arbitrary (possibly open) terms; c, ci, C2, etc. stand for constants from E^; v, vi, i>2 etc. 
stand for external constants (i.e. e E''); r, ti, T2, etc. stand for types; p, pi, p2 stand for canonical 
terms (i.e. terms p G for t 7^ uj); and C, C", Ci, C2, etc. denote contexts; unless otherwise qualified. 

4.2 Correctness proof 

In this subsection we prove that the preceding lengthy definition of is actually correct, i.e. that 
is a classical illative Kripke model for . 

Below we will silently use the following simple lemma, without mentioning it explicitly every time. 

Lemma 4.2.1. If Xx.'E.qiq2 -» Xx.q then q = ^q[q2 where qi q[ and (72 '?2- analogous result 
holds when Xx-A^qi Xx.q for t Cz B, and when Xx.Lqi Xx.q. Here the reduction -» may stand for 
any of -^<a, ~^<a, etc. 

Proof. This follows from the fact that there are no reduction rules which involve S, L, or Ar for t G B, 
so the reductions may happen only inside qi and q2. Note that to make the argument complete we also 
need to rule out the possibility of ry-reduction at the root (e.g. of the form Xx.'E.qix — Sgi), but this is 
evident because there is no way we could recover the missing lambda-abstraction. □ 

Note that together with our convention stated in Notation 14.1.21 regarding the meaning of Fqiq2 and 
Hqi, Lemma [4.2.11 implies that: 

• if Fqiq2 -» q then q = Fq[q'2 where qi q[ and q2 ^921 

• if Hqi -» q then q = Hq[ where qi — » q[. 

The proof of the following lemma illustrates a pattern common to many of the proofs below. We give 
this single proof in full, but when later an argument follows this same pattern we treat only some of the 
cases to spare the reader excessive tedious details. 

Lemma 4.2.2. If v is an external constant and C is a context then the following conditions hold: 

(1) if t -^<a t' and t = C[v\ then t' = C'[v\ where C -^<a C , 

(2) if C[v\ >~a p then C[t\ >~a p for any term t, 

(3) if C[i>] ~ct T then C[t] t for any term t. 
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Proof. Induction on a. If a = then claims ([T]) and ^ are obvious, because if r P or r then 
r does not contain external constants. For a — claim ([T]) is also easily verified by induction on the 
number of reduction steps, because Rq contains no rules involving ly. Therefore assume a > 0. 

First, we show ^ by induction on the length of the reduction Civ] t' ■ The only interesting case 

is when cC[i^] — ><q p2 by virtue of C[j^] pi. But then by part ([2]) of the IH we have C[t] pi, 
so pC[t] -^<a P2- 

Next we shall verify ([3]). If C[i^] t is obtained by rule (A) or (H), then C = Ar for t G B or 
C = H , and the claim is obvious. 

If C[i^] T is obtained by rule (Ku) or (Ke) then t G {oJ,e} and C[i^] '^<q c for c G {T, ±}, i.e. 
C[iy] t' c. By part Q of the IH we obtain t' = C"[z/] where C C . Then by part ([2]) of 

the IH we have C'[t] ><^a c. Hence C'[t] '^<q c, so C'[t] t by rule (Kw) or (Ke). 

If C[i'] ~a is obtained by rule (Fw) then t = cj, C = FC1C2 and Ci[i^] '^<a e. By part ([3]) of the 
IH we obtain Ci[t] e, and thus C[t\ = FCi[i]C2[t] --a w by rule (Fw). 

Finally, if C[v] t is obtained by rule (F) then t = ti ^ T2 and C = FC1C2 where Ci[^] ~<q n 
and C2[i^] ^<Q T2. But then by part Q of the IH we have Ci[t] n and C2[i] ^<q T2, which implies 
C[t] = m[i]C2M r. 

Now we check condition Suppose C[j^] p for a canonical term p. If C[i^] = p then the claim is 
obvious because canonical terms are closed, so C[t] = C = C[iy] = p. If the canonical type of p is ti T2 
then by definition for any ti G T^-^ we have C[i^]ti -^<a T{p){ti). By parts ^ and Q of the IH and by 
the definition of '^<a we obtain C[t]ti J'{p){ti)- Hence C[t] >-a P- 

Suppose p = T. If C[v\ ^0 T then one of the conditions (S^), (Sj), [F]^) or {HJ) in Definition l4.1.7l 
must hold. If (S^) holds then C = SC1C2 and there exists r such that Ci[v\ t and for all t' G 
we have C2[v\t' T. By claim which has already been verified in this inductive step, we obtain 

Ci\t\ ~Q By parts ([T]) and (O of the IH we conclude that for all t' G Tr we have C2[t\t' T. 
Therefore C[t\ = SCi[t]C2[i] >a T. If (S]^) holds then C = H{ECiC2) and the proof is completely 
analogous. 

If condition {F^) holds then C = L{FCiC2)- If Ci[v\ £ then by ^ we obtain Ci[t] £, and 
thus C[t] = L{FCi[t]C2[t]) >a T. Otherwise Ci[v] r for some t 7^ e and LC2[H '^<a T. By © we 
have Ci[t\ ~q t, and by parts (H]) and ([2]) of the IH we obtain LC2[t] T. Therefore C[t] >~a T. 

If condition {Hj) holds then C = HCi and Ci[z^] '^<q T. Hence by parts ([T]) and dH) of the inductive 
hypothesis we obtain Ci[t] '^<q T, and thus C[t] T. 

It remains to verify the case C[iy] >-a -L. Assuming C[v\ ^0 -L, the condition (S-*-) must hold. Then 
C = EC1C2, HClv] T, and there exist a type t and a term G T,- such that Ci[u] t and 

C2[j^]i3 "^<a -L. The claim again follows by applying the already verified condition ([3]) and parts ([1]) 
and ^ of the inductive hypothesis. □ 

The next lemma and Lemma 14.2.101 are the two key technical lemmas justifying the correctness of 
our model construction. 

Lemma 4.2.3. For all ordinals a, 13 the following conditions hold: 

(1) Ra and Rp commute, 

(2) if ti >~a P o,nd ti ^<i3 t2 then t2 )~a P, 

(3) ift>-aPi,t >-p p2 and p\,p2 e T^- then pi = p2, 

(4) if ti T and ti ~^<i3 t2 then t2 t, 

(5) if t Ti and t T2 then ti — T2, 

(6) if t ^ then tr T for all r, and if t £ then tr 1- for all r. 

Proof. Induction on pairs (a, /3) ordered lexicographically. Together with every condition we show its 
dual, i.e. the condition with a and /3 exchanged. We give proofs only for the original conditions, but it 
can be easily seen that in every case the dual condition follows by exactly the same proof with a and jS 
exchanged. Note that for a proof of a condition to be a proof of its dual, it suffices that we never use 
the inductive hypothesis with /3 increased. 
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First note that conditions ([T]) and ^ imply that if ti P and ti -»</3 then t2 P- Indeed, if 
ti ^<a t'l )~a P and ti -^<.p t2, then by ([T]) we have ^2 t'2 and t'l Hence by ^ it foUows 

that t'2 P, so ^2 P- 

Instead of ([1]) we prove a stronger claim that Ra and Rp commute. Condition ^ follows from this 
claim by a simple tiling argument. 

If a = /3 = then the claim is obvious, because i?o = ^0 is the ordinary A/Syy-calculus. We therefore 
check that i?o commutes with R^ for a > 0. Note that if term is a i?Q-redex then it is closed, so it 
suffices to consider closed terms. We show that if t -^=a ti and t -^i3n ^2 then there exists such 
that ti -^"^jj ^3 and t2 —>^=a ^3- The claim then follows by a simple diagram chase. If the redexes do 
not overlap (critically) then this is obvious, but we need the transitive reflexive closure of -^=a in the 
conclusion, because a /3-contraction may duplicate or erase the original i?Q-redex. If the redexes overlap, 
then without loss of generality we may assume t = ct' -^=a ti = -^(c)(p), t' p, t2 = ctj, and 

t' —^pri ^2- By part ([2]) of the IH we obtain t2 >-<q p. Therefore t2 = ct'2 -^=a ^{c){p) = ti- 

We now check that Ra commutes with Rp for a, /3 > 0. It suffices to show that if t — ii and 
t -^=0 t2 then there exists ts such that ti -^Zp ^3 and t2 -^=a ^3- If the redexes do not overlap then this 
is obvious. Suppose they overlap at the root, i.e. t = ct', ct' -^=a ti = J-'{c){pi) where t' ><^a Pi, and 
ct' — ?>=/3 t2 = J-{c){p2) where t' y<p P2- But then pi and p2 are canonical terms of the same type, which 
is determined by the type of c. So by part ^ of the IH we obtain pi = p2- Hence ti =t2- If the overlap 
does not happen at the root, then without loss of generality t = ct' , ct' -^=a ti = J^{c){p) where t' p, 
t2 = ct'2, and t' —>-=p t'2. By part ^ of the IH we obtain t'2 >-<q p, so t2 = ct'2 ^=a ^{c){p) = ti- 

Now we shall prove If ti = t for r G S or ii = H, then the claim is obvious. If 

ti = Kt'i and t'^ T, then t2 — Kt'2, t'l t'2, and by parts H]) and Q of the IH we have 

t'2 '^<a T. Hence t2 ^- If ti = Kt'i £ and t'^ '^<q -L the proof is analogous. If ti = Ft\tl then 
t2 = Ft\t^ where t\ -»<^ t\ and t\ t^. If ti = Ft\t\ w and ^<q e then ^<q e by the IH, 
so t2 Lo. The only remaining case is ti = Ft\t^ ti — > T2 for t\ ti and t^ '^<a T2. We have 
<2 ~<Q Ti and ^2 ^<a T2 by the IH, hence t2 ~a ti — ?> T2. 

We show (2]). li ti = p then ti is in i?^-normal form, so there is nothing to prove. If ti ^ p, ti P 
and ti ~^<p t2, where p e Tri^T2, then by definition for all pi G we have tipi ^<q, p2, where 
P2 = J-{p){pi). But then by parts H]) and ^ of the inductive hypothesis t2Pi ■^<a P2, so t2 >-q p- 
Therefore suppose ti T. When ti >-a -L the argument is similar. If a = then the claim is obvious, 
because the right sides of the identities in the postulates for ti T are normal forms. If a > then 
assume ti t2, ti = 'E.t\ti and condition (Ej) in the definition of ti T is satisfied, i.e. there 

exists r s.t. t\ ~ct and for all ^3 G T-r we have tfi3 '^<a T. When any of the other conditions in the 
definition of ti >-a T is satisfied instead of (S^), then the proof is analogous. By Lemma r4.2.1l we have 
t2 = ^^2^2 where t\ -^<f} t\ and t\ -»<^ t^. By which has already been verified in this inductive 
step, we obtain t\ ~q t. It therefore suffices to check that for all ^3 G T,- we have t^t^ '^<a T. But for 
^3 e Tr obviously tft^ ^<q, T, so t^t^ ^<q, T by parts ^ and ^ of the IH. 

We shall now prove Suppose t w. If t e then the proof is analogous. If t ~q, uj is obtained 
by rule (Kw) then the claim is obvious. The only other possiblities are that t ^ is obtained by rule 
(F) or (Fuj). Then t = Ftit2 and tr —p^i 'Bti\x.t2{rx). It suffices to verify that 'Bti\x.t2{rx) >-<^a T, 
because then for t' such that tr t' and 'Bti\x.t2{rx) ^pri t' we have t' >-<q, T by part ^ of the IH, 
which implies tr '^<q T. If the derivation of t ^ is by (Fw) then ti '^<q £ and 'E.ti\x.t2{rx) >-<q T 
by definition (because = 0). If ti ^<^a £ then t\ ^<^a t for some r and t2 ^<a w. Let 7 < a be 
such that ti T and ^2 ~7 w. Suppose ^3 G T,-. By the inductive hypothesis t2{rt:i) ^^-y T, so 
{Xx.t2{t'x))t^ ^<7 T as well. This implies that 'EtiXx.t2{rx) T. 

We show ([5]). Suppose i ~q ti and t ^p T2. li t = Ar ior t G B or t = H then the claim is obvious. 
So suppose t ^ Ar for t € B and t H. First assume that both t ^q, ti and t '^p T2 are obtained by 
rule (F). Hence ti — —> r^, T2 — — ?> t|, and t = Ftit2 where ti ^<^a tI, t2 ^<a Tf, ti ^<:p t^, and 
^2 ^<f} T2- By the IH = and — ^2, so ti — T2. If both t ti and t ^^p T2 are obtained by rule 
(Fw), or one is obtained by (Fcj) and the other by (F), then the argument is similar. If one is obtained 
by (Kw) and the other by (Ke), then the claim follows from parts ^ and ^ of the IH. The only other 
possibility is, without loss of generality, when t ti is obtained by (Kw) or (Ke) and t ^p T2 by (F) or 
(Fw). Then t = Kt' . 

We show by induction on 7 the following claim: for any closed term t^ and any type r the condition 
KtQ T implies t — uj or t — e. The non-obvious case is when Kto = Ftit2 77 — is obtained 
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by rule (F), and ti fi for fi 7^ e, and t2 ^<-y '^2- According to the convention from Notation 14.1.21 
the condition KIq = Ftit2 impUes for x ^ FV"(to), /, 2/ ^ FV{ti,t2) that Aa;.io = A/.Siir where either 
r = Xy.t2{fy) and ^2 is not a lambda-abstraction, or r = Xy.q'2[z/{fy)] and t2 = Az.gj- But then to = ^■ 
Thus we must have ^2 = Xz.q'2 and z ^ ^^(92), since otherwise / G FV{r) and the a-equivalence to = r 
would not hold. Hence q'2 is closed because t2 is, so t2 = Kq2 and by the inductive hypothesis we conclude 
7^ = w or = e. In either case t = oj ov t — e. This verifies the claim. 

Therefore, because t = Kt' , we have ti,T2 G {w, e}. For instance, suppose n = w and T2 = e. By © 
and its dual, which we have already verified in this inductive step, for all is we have tt^ T and 

tt^ ^<ci3 -L. By parts (H]) and ^ of the IH this implies the existence of ^4 such that t4 T and 

t4 >-<i3 -L, which contradicts part ([3|) of the IH. 

It remains to verify li t € B then this is obvious. Suppose t = ti — > T2 G Tl. Note that for all 
ti G Tt-j we have J-{pi){ti) = F{p2){ti). This follows from the definition of for r = ti — > T2 G 7i, 
from parts (H]), ^ and ([3]) of the IH, and from the fact that canonical terms are in normal form. Now, 
if Tl = a; then pi = Xx.p[ and p2 = Xx.p'2- Thus for any ti we have p[ = T{pi){ti) = F{p2){ti) = p'2, 
so pi = p2. If Tl ^ a; then the claim is immediate, because Ttj^^j.^.^ = Y,t-i^t2 foi' "Ti ^ ^ was defined to 
contain exactly one constant for every function from T^^ to T^^ . 

The last remaining case is r = o. Thus, suppose t >-a T and t ±. It is easily seen that this is 
impossible if a = or /3 = 0. Therefore assume a > 0, /3 > 0, t ^0 T and t ^0 -L- Then conditions {^J) 
and (S^) must be satisfied. So we have t = Stit2 and there exists ti such that ti ~q ti and for all 
t' G we have t2t' '^<q T. There also exists T2 and G T^-^ such that ti T2 and ^2^3 '^</3 -L. 
But by ([5]) we have t\ = T2. Hence t2i3 ^<a T and t2i3 '^</3 -L, which contradicts the inductive 
hypothesis. □ 

Corollary 4.2.4. //t =<„ t' then t T. 

Proof. Follows from conditions ^ and ^ in Lemma [4.2.31 □ 

Corollary 4.2.5. // 1 pi and t P2 where pi, p2 are canonical terms with the same canonical 
type, then pi = p2- 

Proof. Follows from conditions (U)-® in Lemma [4.2.31 □ 

Lemma 4.2.6. Let ti and t2 be closed terms. If for all closed to we have tito =<„ ^2^0 then ti —<a ^2- 
In particular, the combinatory algebra of Ai, as defined in Definition \4-.1.9\ is extensional. 

Proof. If tito =<a ^2^0 for all closed to then in particular tiv =<a t2V where v is an external constant 
which does not occur in ti and ^2- Since there are infinitely many external constants we may always 
choose one satisfying this condition. By part ^ of Lemma [4.2.31 there exists t' such that tiv -^<a t' 
and t2i' '^<a t' . Let Ci = tiO and C2 = ^2^. By Lemma 14.2.21 there exist C[ and such that 
t' = C'lli'] = C2[i'], Ci -»<Q C'l and C2 (^2- Because ly does not occur in Ci and C2, and there are 

no reduction rules in Ra which could produce a term containing z/, we conclude that v does not occur 
in C'l and C2. Hence C[ =6*2, since C{[i^] = C'2\y\. This implies that C\ C2, so t\x —<a t2X for a 
variable x, and consequently ti Xx.tix —<a Xx.t2X — ^2- Therefore ti =<q, ^2- D 

The ranfc of a type r, denoted rank(T), is defined as follows. If t G B U {o,uj,e} then rank(T) = 1. 
Otherwise t = ri — > T2 G 7i and we set rank(r) = max{rank(ri) + l,rank(T2)}. By the rank of a 
canonical term we mean the rank of its canonical type. 

We write t t' if there exists an n-ary context C, closed terms ti, . . . ,t„, and canonical terms 
pi, . . . , pn, such that ti )~a Pi for i — 1, . . . ,n, t = C[ti, . . . , t„] and t' = C[pi, . . . , pn]- If the maximal 
rank of pi, . . . , p„ is at most k then we write t ^„ t' , and if it is less than k we write t ^^'^ t' . 

The following simple fact states some easy properties of canonical terms. It will sometimes be used 
implicitly in what follows. 

Fact 4.2.7. If p is a canonical term then: 

(1) p = Xxi ...x„.c where n > 0, c G St for some t (so t ^ uj ^ ti), and p G T^^n^^, 

(2) if p = C[t] then either C = Xxi . . . Xfe.D and t is a canonical term, or C = p. 
Lemma 4.2.8. // 1 P then Xxi . . . Xk-t "^a+k Xxi . . . Xk.p. 
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Proof. Easy induction on k, keeping in mind that t is assumed to be closed. 



□ 



Lemma 4.2.9. If t Fr[r2 then t = Frir2 where ri and r2 3>q Tj. 

Proof. According to the convention from Notation 14.1.21 we have Fr[r2 = A/.SrJ^g and there are two 
possibihties: 

• r'2 is not a lambda-abstraction and q = \x.r2{fx), 

• r'2 = Xz.q2 and q = Xx.q2[z/{fx)]. 

Since t Xf.'E.r'^q there exist contexts Ci, C2, closed terms ti, . . . ,tk, and canonical terms pi, . . . , pk, 
such that U Pi tor i = I, . . . ,k, t = Xf.ECi[ti,...,tk]C2[ti,...,tk], r[ = Ci[pi,...,pk] and 
q = C2[pi, . . . , Pfc]. We take ri = Ci[ti, . . . If g = Xx.r'2{fx) then C2 = Xx.C'2{fx) where 

r'2 = C2[pi, . . . , Pfe], and we take r2 = C2 [ii, . . . , ifc]. If r'2 = Xz.q2 and q = Xx .q2[z / {f x)] then 
C2 = Xx.{C'2)[z/{fx)] where C2 [pi, . . . , Pfc] = <Z2, so Az.C2[pi, . . . , Pfc] = r'2. Hence we take r2 = 
Xz.C'2[tu...,tk]- □ 

Recall that we use the notations R, >, etc. without subscripts to denote i?^, -^t;, 

etc., where C is the ordinal introduced just before Definition 14.1.91 For this ordinal we have — >-<c, 
= R<(;, etc. 

Lemma 4.2.10. Ifti, t2, are terms, p is a canonical term, and t is a type, then for every ordinal a 
and every natural number n the following conditions hold: 

(1) ifti >" t2 )~a P then ti ^ p, 

(2) ifti >" t2 T then ti - t, 

(3) ifti >" t2 -^<a t'2 then ti -^R t'l >" t'2. 

Proof. Induction on pairs {n, a) ordered lexicographically, i.e. (ni, ai) < (n2, a2) iff rii < n2, or ni — n2 
and ai < a2. 

First we verify condition Suppose ti t2 t. If t2 t is obtained by rule (A) or (H) then 
f2 = for r G S or t2 = i/, so ti = t2 and the claim is obvious. 

If ^2 T is obtained by rule (Kw) or (Ke) then t2 = Kt'2, r G {uj, e} and t'2 '^<Q c where c G {T, 
i.e. t'2 -»<Q t'2 y<a c for some t'2. Hence ti = Kt'-^ Kt'2 = and thus t'^ 3>" t'2 ^<q t'2 ><a c. By 
part ^ the IH there exists t'l such that t'^ t'{ t'2 y<a c. By part H]) of the IH we obtain t'^ ^ c. 
Hence ti ^ t. 

If t2 T is obtained by rule (Foj) then t = ut and t2 = Fr'ir'2. By Lemma [4.2.91 we conclude 
ti = Frir2 Fr'ir'2 where ri r'j^ '^<a £■ So by part ([2]) of the inductive hypothesis ri ^ e. 
Therefore ti ~ a; = r by rule (Flu) . 

The remaining case is when t2 '^a t is obtained by rule (F). Then again t2 = Fr'^r'2 and by 
Lemma [4.2.91 we obtain ti = Frir2 3>" Fr'ir'2 where ri r'l and r2 r'2. We have r = ti T2, 
ri rj^ '^<Q Ti and r2 r2 T2. By part ([1]) of the IH we obtain ri ^ ti and r2 ^ T2. Therefore 
ti = Frir2 r by rule (F). 

Now we verify condition ([1]). If i2 = P then ti ^ p. By ([1]) in Fact 14.2.71 we have p = Xxi . . . x„.c, so 
by definition of 3>, there exist a unary context C, a term t' , and a canonical term p' such that ti = C'[t'], 
p = C[p'] and t' y p' . li C = p then the claim is obvious. Otherwise C = Xxi . . . Xfc.D where k < n, 
p' G T^, and p G T^i-^r, by © in Fact 14.2.71 By Lemma KTE\ we obtain ti = C[t'] = Axi . ..Xk.t' y 
Xxi ...Xk.p' = C[p'] = p. 

Next assume that p ^ Tr where t = ti T2 E Ti. Thus for all p' G T^.^ there exists t'2 such 
that t2p' ^<Q ^2 •F{p){p')- Then obviously tip' t2p' t'2: so by part ^ of the inductive 

hypothesis there exists t'^ such that tip' ^r t'^ t'2 >-<a T{p){p'). Using part ([1]) of the IH we obtain 
^ip' t'l J-{p){p'). This implies ti >- p. 

The remaining case to check is p G Tq. Suppose p = T, so ti t2 T. We consider all possible 
forms of t2 according to the definition of t2 >~a T. Suppose a = 0. If t2 = LAr for r G B or ^2 = LH 
then ti = t2 and the claim is obvious. If t2 = A^c for t € B then again ti = t2, because if c is a canonical 
constant of a base type r then the condition t y c implies t = c. If i2 = T then ti ;^ t2 = T and the 
claim is also obvious. If ti = Ht'i t2 = He T where c = T or c = _L, then t'l >- c. Then by 
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definition Ht[ >- T, which establishes our claim. Now let a > 0. Suppose condition (Bj) in the definition 
of t2 >~a T is satisfied. Then ti = Srir2 Sr']^r2 = ^2 where ri r'l and r2 rj. By definition of 
)~a there exists r such that r'l t and for all ^3 G T,- we have r'2t3 ^<q, T, i.e. r'2t3 ^<q, t'^ )^<a T. 
Since ri r'^ '-^^^ we conclude that ri ~ r by condition ([2]) which we have already verified. Because 
for all ^3 G Tt- we have r2t3 3>" r-jts ^<a ^3 ;^<q T, so by part ([3]) of the IH for all ^3 G T,- there exists 
such that r2tz ^3 ^3 ;^<q T. Hence r2<3 T by applying part ^ of the IH. Therefore ti^ ~V 
by definition of If t2 = H {'E,r'-^r2) , ^2 = L{Fr[r2) or t2 = Hr[, then the proof is analogous. If p = J-, 
i.e. ti t2 >-a -L, the proof is also similar. 

It remains to prove ([3]). It suffices to consider a single reduction step, i.e. to show that ti 
^2 -^<Q t'2 implies ti ^r t'l ^3- We have ti = C[ri, . . . , r^] and ^2 = C[pi, . . . , pk] where >- pi 
and rank(/9i) < n, for j = l,...,k. Denote by Cq[pi, . . . , pk] the contracted redex in <2, where the 
boxes in Cq correspond to appropriate boxes in C. By Ce we denote the surrounding context satisfying 
C = Ce[Co, . . . , Dfe]. It follows from the definition of i?Q that there are four possibilities: Co = Xx.Cix 
where a; ^ FV{Ci), Cq = (Ax.Ci)C2, Co = cqCi for cq G Et-j-j.^-^, or Cq = DiCi for some 1 < z < fc. In 
the first two cases we have t2S = Ce[Co[pi, . . . , Pk],Pi, ■ ■ ■ , Pk] where Co — Cq, so we may just take 
t[ = Ce[CQ[ri, . . . ,n],ri, . . . ,rfe]. 

Otherwise the contraction in t2 produces some canonical term p, i.e. Co[pi, . . . , Pk] -^<a P- It suffices 
to prove: 

(★) there exists t such that Co[7'i, . . . , r^] ~>*r t >- p, and if t ^ p then rank(/9) < n. 

Indeed, if (★) holds then simply take t'^ = Ce[t,ri, . . . , r^]. We have ti = Ce[Co[ri, . . . , r^], ri, . . . , r^] ~»r 
Ce[t,ri, . . . , Tfc] = t[ and ^3 = Ce[p, ri, . . . , r^]. Now it is easy to see that t[ if ^ = p then we 

take Ce[p, Di, • . • , Dfc] as the context required by the definition of otherwise we take Cg noting that 
t )^ p and rank(p) < n. 

If Cq = cqCi then Ci[/9i, . . . , pfc] ;^<q, p' where T{c){p') = p. We conclude Ci [ri, . . . , r/,.] ^ p' 
by part (P) of the IH and the fact that Ci [ri, . . . , rfc] Ci[/9i, . . . , p^]. Therefore Co[ri, . . . , rfe] = 
cCi [ri, . . . , rfc] ^-fj p and we are done. 

Suppose Co = DiCi where 1 < i < fc. First assume that pi is a canonical constant of type ri — > T2. 
As in the previous paragraph we have Ci [pi, . . . , pk] '>~<a p' where J-'{pi){p') = p, so Ci [ri, . . . , r^] ^ p' 
by part ^ of the IH. Obviously rank(p) = rank(r2) < rank(Ti — > T2) = rank(pi) < n and rank(p') — 
rank(Ti) < rank(ri) + 1 < rank(ri ^ T2) = rank(/9i) < n. Let r = Ci[ri, . . . , rj,]. We have r >~ p' and 
rank(p') < n, so r^r r^p' where the context required by the definition of is riD. Since ^ p.; 
and the canonical type of pi is a function type, we conclude by definition of >- that r^p' J-{pi){p') = p. 
Note that we may have = p^, but then the condition rip' ^ p is satisfied anyway, by definition of 
T . Therefore there exists t' such that r^r r^p' i' :^ p. By part ([3]) of the inductive hypothesis 
there exists t such that r^r < )^ p. Applying part ((T|) of the IH we obtain t >- p. Hence 

Co[ri, . . . , T-fc] = riCi[ri, . . . , r^] = r^r t>- p where rank(p) < n, so (★) holds. 

Now suppose that pi = Xxi . . .Xm-c for m > 0. We have Co[ri, . . . ,rfc] = riCi[ri, . . . ,rfc] where ;^ 
Pi. By definition of >- we conclude that there exists t such that r^Ci [ri, . . . , r^] -^i^ t >- \x2 ■ ■ ■ Xm-c = p- 
Obviously we also have rank(p) < rank(pi) < n. Thus (★) holds. □ 

Corollary 4.2.11. Ifty- pi and C[pi] p2, then C[t\ ^ p2- 

The above corollary states that our definition of >■ is correct. If t ;^ pi then t behaves exactly like pi 
in every context C such that C[pi] has an "interesting" interpretation. 

The following final lemmas show that the conditions on 3^ required for a classical illative model are 
satisfied by M.. 

Lemma 4.2.12. // Ht T then t T or t ^a+i ^• 

Proof. Keeping in mind the convention regarding the meaning of Ht, we note that if Ht T then 
Ht Ht' T where t -»<q, t' . Thus it suffices to show that for any closed term t if Ht >a T then 

t T 01 t -L. 

We proceed by induction on a. If a = then the only possibility is t G {T, A.} and the claim is 
obvious. Suppose Ht T for a > and Ht ^0 T. Then one of the conditions (S]^), {F^) or {Hj) 
must hold for Ht. First note that if {Hj) holds then t ^^<;q, T by (i6fiiiitioii. 
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If (Sj^) holds then t = Siii2 and there exists r such that ti t and for aU t2 6 T,- we have 
H{t2t^) '^<a T, so by the IH either ^2^3 ^<q T or t2t3 -L- If for all G T,- we have t2tz T, 
then condition (S^) is satisfied and we conclude that t = Sti<2 T. If there exists ^3 € Tr such that 
^2^3 -L then, noting that ti ^a+i t, we obtain t = Siii2 >-a+i -L by appealing to condition (S^). 

Finally, if (F/) holds then Ht = L{Ftit2). This is only possible when Ftit2 = Xf.EtiXx.t'2[z/{fx)] 
where ^2 = Az.ij and z ^ FV{t2), so t2 = ^^^2- Thus we have Ht = LXf.Etit2 = H{Etit2), and hence 
t = Stit2- Now we have two possibilities. 

• If ti £ then {EJ ) holds because = 0. Thus t = Etit2 T. 

• If ti T for r 7^ e and Lt2 '^<a T, then Ht'2 = L{Kt'2) = Lt2 '^<a T. By the IH we 
obtain t'2 -^^a T or t'2 -L- In the first case for all ^3 G Tr we have ^2^3 -^p t'2 '^<q T. 
Thus condition (S^) holds and we have t = 'B.tit2 >~a T. If t'2 ± for any 
t3 G Tr- Noting that H{Etit2) = Ht T and ti ^a+i t we conclude by condition (S-*-) that 

t = =Ltit2 >a+l -L- 

This completes the proof. □ 

Lemma 4.2.13. If Lt T then t -^<a t' ^ t for some term t' and some type t. 

Proof. Induction on a. If Lt T then Lt -^<a Lto T where t t^. If a = then to = for 
T G to = H, to = KT or to = K±, so ~ t' for some r' by rule (A), (H), (Kw) or (Ke). 

If Lto T for a > but Lto )/-o T then one of the conditions (Sj^), {Fj) or {Hj) holds. If (Sj) 
or {HJ) holds then to = Kti and Hti = L{Kti) T, so ^ c G {T, L] by Lemma l¥.2. 121 Hence 
to = Kti ~ r G {a;,e} by rule (Kw) or (Ke). Thus suppose (F/) holds. Then to = Fti<2 and we have 
two possibilities. If ti ~ct £ then = Ftit2 ~ t^J. If ti '''i for some t\ ^ e and Lt2 '^<c( T, then by 
the inductive hypothesis ^2 ^2 '''2j so io ^<a Ftit'2 ^ ri — > T2. □ 

Lemma 4.2.14. //t t i/ie^ /or all to G we have tto ^q+i T. 

Proof. Induction on a. If t t is obtained by rule (A), (H), (Kw) or (Ke), then the claim is obvious. 
If t T is obtained by rule {Flu) then t = Ftit2, t — uj and ti £. Let t^ be an arbitrary closed 
term. We have Ftit2t3 — Etir for some r. Since ti £ and = 0, we conclude by condition (Ej) 
that Etir T. Hence Ftit2t3 T. 

The remaining case is when t ~q t is obtained by rule (F). Then t = Ftit2, r = ti — >■ T2, '''i 
and ^2 ~<a T2. Suppose G Tt-j_>t-2 (possibly ti — T2 = w). Then for all ri G Tt-j there exists r2 G Tt-j 
such that tori ^<i r2. Also, we have Ftit2to =<o EtiXy.t2{toy). Hence iXy.t2{toy))ri -^<i t2'"2- 
Because ^2 '^<a ^2, we have t2r2 T by the IH, so {Xy.t2{toy))ri T. Therefore EtiXy .t2{toy) >~a T 
by condition [EJ). Hence, by Corollarv l4.2.4l we obtain Ftit2t' T. □ 

Lemma 4.2.15. The following conditions are satisfied. 

• If Lti ^ T and for all t^ such that tit^ ^ T we have t2t3 ^ T , then Etit2 ^ T. 

• If Lti T and for all t^ such that tit^ ^ T we have H{t2tz) T, then H{Etit2) ^ T. 

• If Lti T, and either Lt2 T or there is no t^ such that tit^ ^ T, then L{Ftit2) ^ T. 

Proof. Suppose Lti ^ T. By Lemma 14.2.131 we have ti -^ji t'l ^ r for some type r. Assume that for 
all ^3 such that ^1^3 ^ T we have ^2^3 ^ T. Let to G Tt-. Then by Lemma [4.2.141 we obtain t'lto ^ T. 
Because tito =r t'lto, by Corollarv l4.2.4l we conclude tito ^ T. Then by assumption ^2^0 ^ T. Therefore 
by (EJ) we obtain Et[t2 >- T. Hence Etit2 T. 

The remaining two conditions are shown in an analogous way using Lemma 14.2.131 Lemma 14.2.141 



and Corollarv l4.2.4l 



□ 



Lemma 4.2.16. Ifti 



a 



T, T Lu, T ^ e and tit2 ^ T, then t2'^ p for some p G T,-. 



18 



Proof. Induction on a. If ti t is obtained by rule (A) then ti = for t E B, and Art2 -^r t' y-f. 
So t' = ATt'2 where t2 -^r t^. By Definition 14. 1 . 71 we have t'2 = c for c e T,-. Hence t2 ^ c. If ti t is 
obtained by rule (H) then ti = H and i2^cG{T,±}by Lemma [4.2.121 

It is impossible that ti ~„ r is obtained by rule (Kw), (Ke) or (Fw), because then ti w or ti £, 
so by ([5]) in Lemma 14.2.31 we would have t ^ u ov t — e. 

The only remaining case is when t\ — ^\ — ^ '^2 is obtained by rule (F). Xhen t\ — Ft\T2 ~a ^ — 

Ti —5- T2 where ri n, r2 '^<q T2, n 7^ e. We may also assume T2 ^ lo and T2 ^ s, since otherwise 
T = w or r = e. We have SriAj/.r2(t2y) T, so Sr^rj ;^ T where ri r'j^, Xy.r2{t2y) -»_r »'2- By 
inspecting Definition l4.1.7l we see that the only possible way for E,r[r2 :^ T to hold is when condition (Ej) 
is satisfied, i.e. there exists r' such that r[ ^ r' and for all e T^/ we have ra^s ^ T. By (|4|) in 
Lemma [4.2.31 we have r[ ti, so it follows from ([5]) in Lemma [4.2.31 that r' = ri. Therefore for any 
t3 G Tri we have ri^ta ^ T. Since r2(<2i3) =<o (•^2/-^2(^22/))^3 ^i?, ^'2^3, we obtain by Corollary 14.2.41 
that r2{t2t3) ^ T for any ^3 G T,-j. Because r2 ~<q ■''2 where r2 7^ w and T2 e, we conclude by the 
inductive hypothesis that the following condition holds: 

(*) for all G Tt-^ there exists p2 G T^^ such that ^2^3 ^ P2- 

Note that p2 depends on t^. 

If Ti ^ Lu then Tt-j-j.^^ contains a constant for every set-theoretical function from Tt-j to Tt-^. In 
particular it contains a constant c such that for every pi G T^^ we have J^{c) (pi ) = p2 where p2 G T^^ is 
a term depending on pi such that ^2^1 ^ P2- Such a p2 exists by (★). Therefore by definition of >- we 
have t2 ^ c G Tt-. 

If Ti ^ u! then it suffices to show that there exists a single p' G T^^ such that for all closed ^3 we 
have ^2^3 p' ■ Indeed, if this holds then t2 >- Kp' G T„^r2 = ^t- Let v be an external constant. 
Obviously G T^, so by (★) there exists p' G Tt-^ such that t2i^ ^ p', i.e. t2i' -^r t' >- p' for some closed 
term t' . Taking C = ^2^, we conlude by conditon ([1]) in Lemma [4.2.21 that t' = C'\i'\ where C ~^r C . 
By condition ^ in Lemma [4.2.21 we have C[t^] >- p' for any closed term ^3. Therefore for any ^3 there 
exists ^3 such that ^2^3 -^r t'3 p' , i.e. ^2^3 ^ p' ■ This p' depends only on v, but not on ^3, so our claim 
has been established. □ 

Lemma 4.2.17. If'E,tit2 ^ T then for all closed terms t^ such that tit^ ^ T iwe have t2tz ^ T. 

Proof. If Siii2 T then Stii2 -^r. 'Et'it'2 >- T where ti -^r t'l and t2 -^r. t'2. The only possibility 
for 'E.t[t2 ;^ T to hold is that condition (EJ) holds for Si'j^ij- Thus t[ ^ t for some type t. Suppose 
tit^ ^ T. By CoroUarv 14 . 2 . 41 we have t'^t^ ^ T. Because t2t3 ^r ij^Sj it suffices to show that t2t3 ^ T. 
If T = a; then this is obvious by definition of (S^). We cannot have r = e, since if t'l ^ e then by ^ 
in Lemma [4.2.31 and by CoroUarv 14.2.51 there is no t such that t[t ^ T. li t[ ^ t ^ u! and r 7^ e, then 
we use Lemma [4. 2. 161 to conclude that there exist ^3 and p G such that t^ -^r t'^ >- p. Because (Bj) 
holds for 'Bt'it'2, t[ ^ r and p G T-r, we have t2P ^ T. Since t'^ >- p, taking C = ^21^ we conclude by 
Corollary [4XTT] that ^2^3 T, so ^2^3 ^ T. □ 

Theorem 4.2.18. The systems I^^ and are strongly consistent, i.e. 'E.HI is not derivable in them. 

Proof. We verify that the structure A4 constructed in Definition l4.1.9l is a one-state classical illative model 
for I^. It follows from Lemma [4.2.61 that the combinatory algebra of A4 is extensional. Corollary 14.2.41 
implies that [t]R G ^ is equivalent to t T. We need to check the conditions stated in Fact 13.81 Condi- 
tions H]), and (g]) follow from Lemma Br2.15l Condition (O follows from Lemma li~2.17l Conditions (O 
and (O are obvious from definitions. 

It is also easy to see that I^m EHI. Indeed, otherwise we would have EHI ^ T, which is possible 
only when {EJ) is satisfied for EH I. Thus H ^ t for some type r, and for all f G T,- we have H ^ T, 
so i ^ T by Corollary 14.2.41 It is easily verified by inspecting the definitions that we must have r = o. 
But then _L ^ T which is impossible by CoroUarv 14. 2. 51 

Therefore, by the soundness part of Theorem 13.61 the term EH I is not derivable in I^, and hence 
neither in , which is a subsystem of . □ 
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5 The embedding 



In this section a syntactic translation from the terms of PRED2o into the terms of Iq is defined and 
proven complete for Iq ■ The translation is a slight extension of that from [BBD93j . The method of the 
completeness proof is by model construction analogous to that in the previous section. Relinquishing 
quantification over predicates and restricting arguments of functions to base types allows us to signifi- 
cantly simplify this construction and to extend it to more than one state. 

We use the notation T for the set of types of Xq. We fix a signature for PRED2o, and by T^r denote 
the set of constants of type r in this signature. We always assume that all variables of PRED2o are 
present in the set of variables of Iq . 

Recall that by T(E) we denote the set of type-free lambda terms over a set of primitive constants S, 
which is assumed to contain S and L. We also assume that S contains every constant c G St- for any 
T G and a new constant Ar for each t £ B. For the sake of uniformity, we will sometimes use the 
notation Ag for H. For every composite type r = ti — > r2 G we inductively define Aj- = FAt-^At^- 
We use the same notational conventions concerning Kt, Ht, etc. as in Section U) 

Definition 5.1. We define inductively a map [— ] from the terms of PRED2o to T(I]) as follows: 

• \x~\ — X for a variable x, 

• \c\ — c for a constant c, 

• \tlt2] = \tl]\t2], 

• \ipDi,'] = lip] D [V], 

• [Vx.iys] = 'EArXx.\ip] for X e Vt- 

We extend the map to finite sets of formulas by defining [A] to be the image of [— ] on A. We also 
define a mapping P from sets of formulas to subsets of T(I]), which is intended to provide a context for 
a set of formulas. For a finite set of formulas A we define r(A) to contain the following: 

• ArX for all x £ FV{A) s.t. x e Vr, and all types r, 

• At-c for all c G Et, and all types r, 

• LAr for aU t E B, 

• ArU for all T e Z5 and some y E Va such that y ^ FV{A). 

Lemma 5.2. For any t E T and any A there exists a term t such that r(A) A^-t. 

Proof. First note that by a straightforward induction on the size of r we obtain r(A) h LA^ for any 
type r. 

We prove the lemma by induction on the size of r. li t E B then Ary E r(A) for some variable y. If 
T = o then notice that e.g. h H{LH). li t — ti ^ T2 then we need to prove that r(A) h FAr^AT.^t for 
some term t. Because r(A) h LAr-^, it suffices to show that r{A), Ar-^x h Ar^itx) for some term t and 
some X ^ FV(r{A),t). By the inductive hypothesis there exists a term t2 such that r(A) h Ar2t2- So 
just take x ^ FV(T{A),t2) and t = Kt2. □ 

Theorem 5.3. The embedding is sound, i.e. A hpr{ED2o V implies [A],r(A, (p) hi^ \ip]. 

Proof. Induction on the length of derivation of A hpF{,ED2o f, using Lemma 13.21 The only interesting 
case is with modus-ponens, as from the inductive hypothesis we may only directly derive the judgement 
[A],r(A,V'),r('/?) ^lo To get rid of T{ip) on the left, we note that if t E r{ip) \ r{A,Tjj) then 

t = ArX for x E FViip)\FV{A,^). Now, by Lemma O there exists t' such that T{A,'ip) hi^ A^t'. It is 
not difficult to show by induction on the length of derivation that \A~\,T{A,ilj),r{(p)[x/t'] ["01: i-S- 
that we may change ArX on the left to A^t' . To eliminate Art' altogether, it remains to notice that if 
P, ti t2 and P ti then P l-jj, ^2- 

If we had extended our semantics for PRED2o a bit by allowing non-constant domains, then we could 
also give a relatively simple semantic proof by transforming any illative Kripke model for Iq to a Kripke 
model for PRED2o, and appealing to the completeness part of Theorem 13.61 □ 



20 



The rest of this section is devoted to proving that the embedding is also complete. 

Let A/" be a Kripke model for PRED2o. We will now construct an illative Kripke model A4 such that 
Ai will "mirror" TV, i.e. exactly the translations of true statements in a state of TV will be true in the 
corresponding state of A4. This construction is the crucial step in the completeness proof. It is similar 
to the construction given in Section U) For the rest of this section we assume fixed TV. 

Definition 5.4. The set of types is given by: 

r+ ::= T\oj\e 
T ::= o\B\B^r 

The set T C consists of the types of TV. □ 

We define a set of primitive constants and the sets T^. of canonical terms of type r, just like in 
Definition 14.1.31 but restricting ourselves only to the types in defined above. To save on notation 
we often confuse constants corresponding to elements of TV with the elements themselves. For instance, 
we sometimes write c S for c G E+, which is to be interpreted as dc G where dc is the element 
of TV corresponding to c. Note that E+ is disjoint from the signature S of TW which we defined earlier. 
The terms over E form the syntax. The terms over E"*" are used to build the model. To every constant 
c S E corresponds exactly one constant c+ G E+ which is associated with the element d G such 
that Ic^jfj- = d. This correspondence, however, need not be injective, as there may be another constant 
c' G E, c' c, such that |c']_^ = d. 

Let S be the set of states of TV. By T we denote the constant such that (7j\f{T) = S, and by _L the 
constant such that (t^(±) = 0. In what follows p, p', etc. stand for T or _L. 

Definition 5.5. We construct a reduction system R as follows. The terms of R are the type-free 
lambda-terms over E"*". The reduction rules of R are as follows: 

• rules of /3- and ?7-reduction, 

• cci C2 for c G Et-j_j.^2, ci G E^-^ and C2 G E^-a such that J^(c)(ci) = C2. 
It is easy to see that R has the Church- Rosser property. 

Definition 5.6. For each ordinal a and each state s G 5 we inductively define a relation between 
terms and types in T"*", and a relation between terms and T or ±. The notations '^<q, '^<aj 

etc. have analogous meaning to those in Section [H 

The relation is defined by the following conditions: 

{A) Ar T for T G 

{H) H o, 
{Ku) if t T then Kt w, 
{Ke) if t _L then Kt e. 

We postulate t T for a > and all closed terms t such that: 



(1) 


t 


= c for some c G V-^ such that s G aj^{c), or 


(2) 


t 


= LAr for some r G S, or 


(3) 


t 


= LH, or 


(4) 


t 


= At-c for T E B and c G E,-, or 


(5) 


t 


= He for c G Eq. 



When a > we postulate t T for all closed terms t such that: 

(S^) t = Stii2 where ti, t2 are terms such that there exists r s.t. ti r and for all s' > s and all 
ts G T,- we have t2t3 T, or 
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i^Jj) t = H{Etit2) where ti, t2 are terms such that there exists r s.t. ti r and for all s' > s and all 
^3 e we have H(t2h) T, or 

[Hj) t = Hh and h -^^<„ T. 

Finally, we postulate i _L for a > and all closed terms t such that: 

(1) t = ceV-^ and s i crA^(c), 

(2) t = Stii2, m ^<a T, and there exist a type r s.t. ii r, a term fa e and a state s' > s such 
that ^2*3 ^<'q -L- 

It is easy to see that for a < /3 we have C ~^ and C )-^. Thus, by a simple cardinality 
argument, there exists an ordinal ( such that = y"^^ for all s € S. Note that we also have = 
We use the notations and without subscripts for and 

Definition 5.7. The structure 7W is defined as follows. We define the extensional combinatory algebra C 
of M to be the set of equivalence classes of =r on closed terms. We take the set S of states of TV to be the 
set of states of Ai as well. For c G E we define the interpretation / of by /(c) = [c+J^j , where c+ £ S+ 
corresponds to the element |c]]jy. The function aM is given by (TM{d) = {s £ 5 | 3t.d — [tja A t T}, 
where t is required to be closed. 

For convenience we reformulate the definition of an illative Kripke model for Tq in terms of the notions 
used to construct Ai. 

Fact 5.8. If the following conditions hold, then Ad is an illative Kripke model for Xq. 

(1) If ti t2 then ti T is equivalent to t2 T. 

(2) Ift^^J then t T for all s' > s. 

(3) If for all ^3 we have tit^ f2^3 then ti —i^ ^2- 

(4) If Lti T and for all s' > s and allt^ such thattit^ T we have t2t'i T , then'Btit2 T . 

(5) //Stif2 T then for all t^ such that tit^ T we have ^2^3 T. 

(6) If Lti T and for all s' > s and all t^ such that tit^ T we have -ff(f2^3) T, then 
H{Etit2) T. 

(7) Ift-^^ T then Ht T . 

(8) LH-^' T. 

Proof. Condition ([T]) ensures that s G <TM{[t]R) is equivalent to t T. Condition ([2]) implies that for 
any d ^ A4 the set ctx (d) is upward-closed. Condition ^ implies that the combinatory algebra of Ai is 
extensional. The remaining conditions are a reformulation of the conditions imposed on a in an illative 
Kripke model for Xq . □ 

Lemma [4.2.11 holds verbatim with our modified construction. We also have the following lemma which 
implies that (JmHAr) i^ upward-closed for any term t. 

Lemma 5.9. Ift>~%T then t T for s' > s. 

Proof. Induction on a. □ 
Corollary 5.10. Ift-^^T then t T for s' > s. 

Remark 5.11. The necessity of the above corollary is precisely the reason why it is not easy to extend 
this construction to the case of full higher-order intuitionistic logic, i.e. when we have functions and 
predicates of all types and more than one state. In that case we would need separate reduction systems 
for each s and a, similarily to what is done in Section^ But then it would not be the case that C R^ 
for s' > s. Roughly speaking, this is because t _L is interpreted as "f is not true in state s basing on 
what we know at stage a" , and not as "t is false in state s" . Thus we may have t -L and t T 
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s. This by itself is not yet a fatal obstacle, because we really only care about t T 
being monotonous w.r.t. state ordering. However, the condition t y% _L would be used to define R%, 
which would make non-monotonous w.r.t s. Thus t T would not be monotonous either, as it is 
equivalent to t t' T. Hence the corollary would fail. This explains why we do not simply give 
a single construction generalizing both the present one and the one from Section [4l 

Lemma 5.12. Let ti and t2 be closed terms. If for all closed t^ we have tit^ —n ^2^3; then ti —fj ^2- 

Proof. If tit^ —n ^2^3 for all closed t^, then in particular tiiy —n t2i' for an external constant u not 
occuring in ti and ^2- By the Church-Rosscr property of R there exists t such that tiv t and t. 
Because there are no rules in R involving v, and v cannot be produced by any of the reductions, it is 
easy to verify by induction on the number of reduction steps that t = C'[v\, tiv = Ci[u\, = C2[v\, 
Ci C and C2 -^R C, where i' does not occur in Ci, C2 or C". Hence tiX = Ci[x] =_r C2[x] = t2X 
for a variable x, and thus Xx.tix —r Xx.t2X. Because R contains the rule of 7/-reduction, we conclude 
that ti —R t2. □ 

Lemma 5.13. For all a > and all s E S we have: 

(1) ifti p and ti t2 then t2 >-a P, 

(2) ifti --^ T and ti -^i? t2 then t2 '^^ t. 

Proof. Induction on a. The proof is analogous to the proof of corresponding conditions in Lemma 14.2.31 
Condition ([2]) follows easily from the inductive hypothesis and the Church-Rosser property of R. 

For condition ([1]), as an example we treat the case ti = where a > and condition (Ej) in 

the definition of ti T is satisfied. We have t2 = 'Et\t\ where t\ t\ and t\ t\. Suppose 
t\ r. By we obtain t\ r. It therefore sufhces to check that for all ^3 S T,. and all s' > s we 
have ^1^3 ^-^^Q, T . But for ^3 G TT^- obviously ^^^3 ^o ^2^3 ^^<a ~^ P<^i'f ([T|) of the IH and the 

Church-Rosser property of R. □ 

Corollary 5.14. Ift —n t' then t p is equivalent to t' p. 

Lemma 5.15. //t T then t _L. 

Proof. Induction on a. The proof is similar to the proof of condition ([3]) in Lemma [4.2.31 for t = 0. 

First note that the inductive hypothesis implies that if t ti and t ~^ T2 then ti — T2. Indeed, 
assuming otherwise, the only non-obvious case is when t = Kt' . But then t' T ^' ^<a -^j 

there exists /3 < a such that t' ^r ti >~^p T and t' t2 -L. By Lemma r5.13l and the Church-Rosser 
property this implies the existence of f4 satisfying t^ T and t^ _L, which contradicts the inductive 
hypothesis. 

The claim is immediate for a — Q. Suppose t >~l^ T and t ± for a > 0. We have t = Stii2. So 
there exists ti such that ti ~^ ri and for all s' > s and all t' G we have t2t' T. There also exist 
T2, € Tt-2, and s' > s such that ti ~* T2 and t2t3 '^<a -L. But we have ti = T2. Hence ^2^3 '^<q T, 
which contradicts the inductive hypothesis. □ 

Lemma 5.16. Let C be a context and let p e {T,_L}. If C[p\ t then there exists a context C such 
thatC C andt = C'[p]. 

Proof. Because there are no rules in R involving p, the claim is easy to verify by induction on the number 
of reduction steps. □ 

The following lemma is a much simplified analogon of Lemma 14.2.101 

Lemma 5.17. Ift pi and C[pi] p2 then C[t] p2. 

Proof. Induction on a. First note that it follows from the inductive hypothesis that if t p and 
C[p] T then C[t] r. The non-obvious case is when t ~ ljj or t = e. Suppose e.g. t = lu. Then 
C EE KC and C'[p] T. By the IH we obtain C'[t\ T, and thus C[t\ tu. 

Suppose t pi and C[pi] p2. By Lemma [5. 161 we have C ^r C where C"[pi] p2- It suffices 
to show that C'[t] p2. 

First assume a = 0. The claim is obvious if C" does not contain □, so assume it does. Then by 
inspecting the definitions we see that there are the following two possibilities. 
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• If C" = □ and pi = p2 then the claim is obvious. 



• If C = HU and p2 = T, then either i ^ T or i _L. If i _L then i/t ^ T by definition, li t y T 
then i7i >- T by condition [Hj). 

Now let a > 0. If C" = SC1C2 and P2 = T then there exists r such that Ci[pi] t and for all 
s' > s and all ts G T,- we have C2[pi\t^ '^<q T. We conclude by the inductive hypothesis that Ci[t\ t 
and for aU G and aU s' > s we have Ca^is T. Hence C'[t] T. If C" ^ SC1C2 or p2 = -L, 
then the proof is similar. □ 

As in Section 3] it remains to prove several simple lemmas implying that M satisfies the conditions 
imposed on an illative Kripke model for Iq- 

Lemma 5.18. // Ht -^^ T then t-^^T ort -^^^^ ±. 

Proof. The proof by induction on a is completely analogous to the proof of Lemma r4.2.12l □ 
Lemma 5.19. If Lt T then t t' t for some term t' and some type r. 

Proof. Induction on a. If Lt T then Lt Lto T where t to. If a = then to = Ar for 
T G S or ^0 = -ff : so to T by definition. The only remaining case is when a > and t^ = Kti. Then 
Hti = L{Kti) T, so c G {T, 1} by Lemma EHH Hence to = Kh r G {w, e}. □ 

Lemma 5.20. Ift r then for all to G we have tto T. 

Proof. The claim is obvious if t G r = o or r — e. If r = cj then t = Kt' where t' '^^^ T, so for any 
to we have tto t' T. □ 

Lemma 5.21. The following conditions are satisfied. 

• If Lti '^'^ T and for all s' > s and all t^ such that tit^ '^'^ T we have t2t3 T , then 'E.tit2 T . 

• If Lti T and for all s' > s and all t^ such that tit^ T we have II{t2t'i) T , then 
H{Etit2) T. 

Proof. Suppose Lti T and for all s' > s and all ^3 such that ^1^3 T we have ^2^3 T. By 
Lemma [5.191 there exist t[ and r such that ti -^r t[ r. It suffices to show that for all s' > s and all 
^3 G Tt- we have ^2^3 T. Then the condition (Ej) implies Et[t2 T, so 'E.tit2 T. Thus assume 
^3 G Tt- and s' > s. By CoroUarv 15 . 101 we have t'l t, so by Lemma [5.201 we obtain ^1^3 T. Hence 
^2*3 T by the initial assumption and we are done. 

The second claim is verified in a similar manner using Lemma l5.19l Lemma 15.201 Corollarv 15.101 and 
CoroUarv [5T4I □ 

Lemma 5.22. // Siii2 T then for all s' > s and all terms t^ such that tit^, T we have 

t2H T. 

Proof. If Stit2 T then Stita Et'it'2 T. Thus t[ r for some t. Suppose s' > s and 
tits T. By Corollarv 15.141 we have t[t3 T. It suffices to show that t2t3 T. If r = a; then 
this is obvious. Note that we cannot have r = e. Indeed, if t[ e then t[ = Kt where t ±, 
but from t'^t^ T we conclude t T, which contradicts Lemma 15.151 If r G then t[ = Ar 
and ta = c G Sr = TTt, so ^2^3 T. Finally, if r = o, then t[ = H and by Lemma [5.181 we have 
ts -^R ^3 p G {T,_L}. Since p G T,- we have ijP '^'^ T. By Lemma [5.171 we obtain ij^g -^'^ T, so 
t'^ts T. □ 

Corollary 5.23. The structure M constructed in Definition \5.7\ is an illative Kripke model for Iq. 

Proof. It suffices to check the conditions of Fact 15.81 Condition ^ follows from Corollary 15.141 Con- 
dition ([2]) is a consequence of Corollarv 15. 101 Condition ([3]) follows from Lemma [5.121 Conditions ([4]) 
and ([6]) follow from Lemma [5. 2 II Lemma [5.221 implies condition ([5]). Conditions ([7]) and ([8]) are obvious 
from definitions. □ 

Lemma 5.24. //r G T and c G S,- then for all states s we have AtC^^ T. 
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Proof. Straightforward induction on the size of r. 



□ 



It remains to prove that the values in Af of formulas of PRED2o are faithfully represented by the 
values of their translations in A4. From this completeness will directly follow. 

Definition 5.25. For c G we denote by 6{c) the element of TV corresponding to c, if there is one. 
We say that an A^-valuation w mirrors an A/'-valuation w, if for every variable x there exists c G S+ 
such that w{x) = S{c) and {^{x) — [c]ij. In other words, w is the valuation assigning to each variable x 
the equivalence class of the constant corresponding to the element wlx). Note that given w the valuation 
w is uniquely determined. 

To avoid confusion, from now on we use qi, q2, etc. for terms of PRED2o. By ti, t2, etc. we denote 
closed terms from T(I]+). We use c, ci, C2, etc. for constants from E+. 

Lemma 5.26. For any J\f -valuation w and any term q of PRED2q which is not a formula, we have 
WiWm = [c\r for some c £ S+ such that 5{c) = {qfj^. 

Proof. Induction on the size of q. If g is a constant then \q] = q and [[(z]]X< ~ \qVjU = Im{<i) = [c]/j 
for some c S S+ such that 6{c) = [f?]^. If g = a; is a variable of type t E B then \q] = x. So 
[[^llXi = w{x) — [c]fl for c G E+ such that w{x) = 5(c), by definition of w. 

Otherwise q = qiq2. Neither qi nor (72 is a formula, so by the inductive hypothesis IfgiUXt = 
and llpMli = [C2U where 5(ci) = [gi]^ and S{c2) = fel]^^. We have M = [^ilfe], so [M]™, = 
ir^illXf -M l\q2]jM = [ci]r -m [c2]r = [ciC2]fl. Let c e E+ be such that S{c) = S{ci) -^f 5{c2). 
In R there is a reduction rule C1C2 -> c because F{ci){c2) = c. Thus [ciC2]_r = [c\r. We also have 

Lemma 5.27. For any formula cf) of PRED2q, any state s, and any M -valuation w we have: 

S,w\\-J\f(l> iff SjWl^M \<f\ 

Proof. Induction on the size of (j). 

If (/) is a variable or a constant, then our claim follows easily from definitions. If </> = qiq2, then 
neither qi nor 52 is a formula, so by Lemma [5.261 we have |[(7i]]Xi ~ [ci]fl and |[(72llXi ~ [c2]i? where 
ci,C2 e S+ and S{ci) = fqii^, S{c2) = lq2^^r■ We have [ci]^ • [c2]r = [ciC2]r = [c]r for c € E+ such 
that (5(c) = <5(ci) -TV" S{c2) = |iii2]jv-- The claim now follows from the definition of 

= ip D ip then [0] = lifl D [-0] . Suppose s, w Ih^n \lp~\ Z) [Vl ■ Let s' > s be such that s', w \\-_\f (p. 
By the inductive hypothesis s', w \\-m ■ Note that we also have s', w \\-m \(p] Z) ■ By condition ^ 
in Fact 13.51 we obtain s',w \\-m \'4'^, which implies s',w \\-j\f tp by the IH. From Definition 12.31 it now 
follows that s,w \\-j\f if D ijj. The other direction is analogous. 

If = \/x.ip where x ^Vr, t G BU {o}, then [Va;.(/9] = EAt-Xx. \ip] . 

Suppose s,w \\-M I'^x.ip], i.e. s,w \\-m ^ArXx.\ip]. Let s' > s, c? e "D^ , and u — w[x/d]. There 
exists c € S"*" such that u{x) = [c]r and S{c) = d. The constant c is a canonical constant of type 
T e BU {0}, so s',w \\-M ^tC, by definition of M. We also have s' ,w Ih^ S^t-Ax. [(p] , so we conclude 
that s\w IhjV) {\x.\ip\)c. This implies s',u W^m and hence s',w[x/d] Ihjv" f by the IH. Therefore 
s,w Ih^ Va;.<^, by Definition 12.31 

For the other direction, we need to show that if s^w \\-m Vx.i/j then s,w W^m Svl^-Ax. [(^] , where 
r e S U {o}. If V is an TM-valuation and t G T(I]+), then by t" we denote the term t with every free 
variable x substituted for a representant of the equivalence class v(x). By induction on the size of t 
one may easily verify that |t]Xi = I^^Ia^j but Lemma [5. 121 is needed for the case of lambda-abstraction. 
Hence s,u \\-m t is equivalent to f" T. Now the condition s,w \\-m 'E.At-Xx.\(p] may be reformulated 
as 'E.Ar{Xx.\ip])'^ T. Therefore it suffices to prove, assuming s,w Vx.c^, that for all canonical 
terms t G T,- of type r and all s' > s we have {Xx.\ip])^t T. For any r G S U {0} and t G Tr 
the value of (5 on i is defined. Thus let u — w[x/S{t)]. We have u — w[x/t]. Hence {Xx.\(p])'^t T 
is equivalent to T, which is the same as s,u Ih^vi [(p]- Because s,w Ihyv 'ix.ip, s' > s and 

u = w[x/S{t)], we conclude that s',u \\-j\f ip. By the inductive hypothesis we obtain s,m Ih^n \(p] which 
completes the proof. □ 

Theorem 5.28. The embedding is complete, i.e. \A~\,T{A,ip) hxp \(p] implies A hpRED2o f- 
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Proof. Suppose A Fpred2o Let A/" be a Kripke model, v an A/'-valuation and s a state of M such 
that s,v \\-j\f A, but s, u H^jv' ^- We use the construction in Definition 15.71 to obtain an illative Kripke 
model M. By Lemma l5 . 2 71 the condition s,v \\-^ "0 is equivalent to s,v\\-m ['Al- Therefore s,v\\-m [A] 
but s,v Using Lemma [5.241 it is a matter of routine to verify that also s,v \\-m r(A,93). By the 

soundness part of Theorem 13.61 this implies [A] , r(A, 93) I'p]- D 



6 Remarks and open problems 

Remark 6.1. In this paper we use lambda-calculus with /Syy-equality. Lambda-calculus with /3-equality 
or combinatory logic with weak equality could be used instead. The proofs and definitions would only 
need minor adjustments. 

Remark 6.2. It is clear that the methods presented here may be used to prove completeness of the 
embedding of propositional second-order logic into an extension of 2P from [BBD93| . This extension 
of IP is essentially Iq but with rules Pi, Pe, Ph from Lemma 13.21 instead of the more general rules 
for S. Whether such an extension is complete for second-order propositional logic was posed as an open 
problem in [BBD93| . 

The open problem related to Iq given in [BBD93| was whether full second-order predicate logic may 
be faithfully embedded into it. We do not know the answer to this question. One problem with extending 
our methods was already noted in Remark 15.111 It is not straightforward to extend our construction 
to obtain a model with quantification over predicates and more than one state. Another obstacle is 
that our construction of a model for crucially depends on the fact that the model of PREDw'^ being 
transformed is a full model. Thus the construction cannot be used to show completeness of an embedding 
of PREDcj*^ into 2^. Informally speaking, a full model is needed to ensure that no "essentially new" 
functions may be "created" at later stages a of the inductive definition. 

In [DBBOSa * and [ DBB98b] two indirect propositions-as-types translations of first-order propositional 
and predicate logic were shown complete for two stronger illative systems IF and IG. It is interesting 
whether our methods may be used to obtain these results, or improve on them. 

Remark 6.3. In [Czallj we presented an algebraic treatment of a combination of untyped combinatory 
logic with first-order classical logic. The model construction and the completeness proof there follow 
essentially the same pattern as those presented here, but they are much simpler. The system in [Czall| 
also has the peculiarity that it contains an additional constant Cond which, unsurprisingly, behaves like 
a conditional and allows for branching on formulas. It is not difficult to see that we could add such a 
constant to and our model construction would still go through. 

Remark 6.4. The construction from Section |4] could also be used to show that classical many-sorted 
first-order logic may be faithfully embedded into I^, but we omit this proof as it is analogous to that 
from Section[5l We do not know whether I^ is conservative over stronger systems of logic, or whether I^^ 
is conservative over intuitionistic first-order logic. 
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